ClamAv virus whitelist

Questions and answers about how to do stuff
Post Reply
w_bufffet
Posts: 12
Joined: 27 Mar 2016 15:32

ClamAv virus whitelist

Post by w_bufffet »

Hi,
We are getting a message with signature: MBL_575906.UNOFFICIAL which does not have a virus in it, its a wrong detection.
How does one stop EFA from blocking such message?
I tried https://www.clamav.net/documents/how-do ... -signature but it cause messages to start looping in and out of the EFA server.

thanks
W
danield@racmtg.com
Posts: 5
Joined: 10 Jan 2017 17:52

Re: ClamAv virus whitelist

Post by danield@racmtg.com »

I'm having the same issue. I wonder is there a way to set the virus flagged emails to be released like the other spam flagged emails?

Somebody Help us!
w_bufffet
Posts: 12
Joined: 27 Mar 2016 15:32

Re: ClamAv virus whitelist

Post by w_bufffet »

anyone can help please?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: ClamAv virus whitelist

Post by shawniverson »

Code: Select all

echo "MBL_575906.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
sudo service clamd restart
w_bufffet
Posts: 12
Joined: 27 Mar 2016 15:32

Re: ClamAv virus whitelist

Post by w_bufffet »

echo "MBL_575906.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
sudo service clamd restart
Does not work, i tried that in the first place. This cause the same message to be received over and over again (without virus warning).
It happens after creating the whitelist.ign2 file and rebooting (just restarting the clam daemon does not solve the detection at all - only rebooting).
So to be clear - doing what you suggested did not solve the issue (the email still gets flaged as virus). Once i reboot, the message is not shown as virus, but keeps on appearing over and over again in "recent messages" and does not get delivered to our mail server.

thanks for any help.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: ClamAv virus whitelist

Post by shawniverson »

So, it sounds like clamd is failing after the addition of the whitelist.

What you are describing is a loop, most likely because clamd didn't start. Anything in the system log to indicate why this is happening?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: ClamAv virus whitelist

Post by shawniverson »

testing a system now...
onestone
Posts: 9
Joined: 24 Oct 2016 20:35

Re: ClamAv virus whitelist

Post by onestone »

hey guys,

any update on this? when we edit the whitelist.ign2 and restart our efa is very unhappy about this :(
mails are still getting through but within mailwatch without any spam/virus check.
after deleting the new entries in whitelist.ign2 we rebooted the box and everything was fine again...

BR
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: ClamAv virus whitelist

Post by shawniverson »

I tested this, and I am having no issues. So, I am wondering maybe if you have a permissions issue.

What if you set whitelist.ign2 user and group to clam?
onestone
Posts: 9
Joined: 24 Oct 2016 20:35

Re: ClamAv virus whitelist

Post by onestone »

Those files are on the system

Code: Select all

-rw-r--r-- 1 root root 6.6K Oct  6  2016 /usr/unofficial-dbs/ss-dbs/sigwhitelist.ign2
-rw-r--r-- 1 root root 27 Mar 30 20:13 /var/lib/clamav/pit-whitelist.ign2
-rw-r--r-- 1 clam clam 7.3K Apr  6 12:01 /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
what about the .sig files - I think i need to generate a checksum so clamav does not think he is getting hacked it's whitelist?

br
onestone
Posts: 9
Joined: 24 Oct 2016 20:35

Re: ClamAv virus whitelist

Post by onestone »

update from my side:

was only the file rights, after a simple

chown clam.clam *.ign2

did the trick
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: ClamAv virus whitelist

Post by pdwalker »

Thanks for the follow up.
markov
Posts: 7
Joined: 12 Apr 2018 08:35

Re: ClamAv virus whitelist

Post by markov »

hey guys,

after new year I get a lot of false pozitives from ClamAV with this signature "MBL_22685397.UNOFFICIAL".
I put this in whitelist.ign2 as you sugested:
echo "MBL_22685397.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
I also change permissions to file:
chown clam:clam /var/lib/clamav/whitelist.ign2
and restart service:
sudo service clamd restart

I also try to restart whole server, but mails are still reported (false pozitive) as "Virus (MBL_22685397.UNOFFICIAL)" and deleted.

Please help. I'm puling my hair here ...
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: ClamAv virus whitelist

Post by shawniverson »

It might be the location of your whitelist that is a problem. Are the unofficial sigs in the same directory as your whitelist?
markov
Posts: 7
Joined: 12 Apr 2018 08:35

Re: ClamAv virus whitelist

Post by markov »

Yes, you are right ...

I found this to correctly whitelist MBL.x signatures ...

you run:
/usr/bin/clamav-unofficial-sigs.sh -w

and you get:
################################################################################
eXtremeSHOK.com ClamAV Unofficial Signature Updater
Version: v5.6.2 (2017-03-19)
Required Configuration Version: v72
Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
################################################################################
=======================================================
Loading config: /etc/clamav-unofficial-sigs/master.conf
=======================================================
===================================================
Loading config: /etc/clamav-unofficial-sigs/os.conf
===================================================
=====================================================
Loading config: /etc/clamav-unofficial-sigs/user.conf
=====================================================

Input a third-party signature name that you wish to whitelist due to false-positives
and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote
marks to the input string):

you paste signature that you like to whitelist without ".UNOFFICIAL" ...
MBL_22685397

and get answer:
=======================================================
No updates detected, ClamAV databases were not reloaded
=======================================================
Signature 'MBL_22685397' has been added to my-whitelist.ign2 and
all databases have been reloaded. The script will track any changes
to the offending signature and will automatically remove it if the
signature is modified or removed from the third-party database.

The /usr/bin/clamav-unofficial-sigs.sh -w script create two new files.
/var/lib/clamav/my-whitelist.ign2
/var/lib/clamav-unofficial-sigs/configs/my-whitelist.ign2

and inside is new signiture that is whitelisted. If you have more signitures to add just run again this command "/usr/bin/clamav-unofficial-sigs.sh -w"

This is it. Thanks to put me in right direction.
Post Reply