efa-project.org

Hi,
We are getting a message with signature: MBL_575906.UNOFFICIAL which does not have a virus in it, its a wrong detection.
How does one stop EFA from blocking such message?
I tried https://www.clamav.net/documents/how-do ... -signature but it cause messages to start looping in and out of the EFA server.

thanks
W

I'm having the same issue. I wonder is there a way to set the virus flagged emails to be released like the other spam flagged emails?

Somebody Help us!

anyone can help please?

echo "MBL_575906.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
sudo service clamd restart

Does not work, i tried that in the first place. This cause the same message to be received over and over again (without virus warning).
It happens after creating the whitelist.ign2 file and rebooting (just restarting the clam daemon does not solve the detection at all - only rebooting).
So to be clear - doing what you suggested did not solve the issue (the email still gets flaged as virus). Once i reboot, the message is not shown as virus, but keeps on appearing over and over again in "recent messages" and does not get delivered to our mail server.

thanks for any help.

So, it sounds like clamd is failing after the addition of the whitelist.

What you are describing is a loop, most likely because clamd didn't start. Anything in the system log to indicate why this is happening?

testing a system now...

hey guys,

any update on this? when we edit the whitelist.ign2 and restart our efa is very unhappy about this
mails are still getting through but within mailwatch without any spam/virus check.
after deleting the new entries in whitelist.ign2 we rebooted the box and everything was fine again...

BR

I tested this, and I am having no issues. So, I am wondering maybe if you have a permissions issue.

What if you set whitelist.ign2 user and group to clam?

Those files are on the system
what about the .sig files - I think i need to generate a checksum so clamav does not think he is getting hacked it's whitelist?

br

update from my side:

was only the file rights, after a simple

chown clam.clam *.ign2

did the trick

Thanks for the follow up.

hey guys,

after new year I get a lot of false pozitives from ClamAV with this signature "MBL_22685397.UNOFFICIAL".
I put this in whitelist.ign2 as you sugested:
echo "MBL_22685397.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
I also change permissions to file:
chown clam:clam /var/lib/clamav/whitelist.ign2
and restart service:
sudo service clamd restart

I also try to restart whole server, but mails are still reported (false pozitive) as "Virus (MBL_22685397.UNOFFICIAL)" and deleted.

Please help. I'm puling my hair here ...

It might be the location of your whitelist that is a problem. Are the unofficial sigs in the same directory as your whitelist?

Yes, you are right ...

I found this to correctly whitelist MBL.x signatures ...

you run:
/usr/bin/clamav-unofficial-sigs.sh -w

and you get:
################################################################################
eXtremeSHOK.com ClamAV Unofficial Signature Updater
Version: v5.6.2 (2017-03-19)
Required Configuration Version: v72
Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
################################################################################
=======================================================
Loading config: /etc/clamav-unofficial-sigs/master.conf
=======================================================
===================================================
Loading config: /etc/clamav-unofficial-sigs/os.conf
===================================================
=====================================================
Loading config: /etc/clamav-unofficial-sigs/user.conf
=====================================================

Input a third-party signature name that you wish to whitelist due to false-positives
and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote
marks to the input string):

you paste signature that you like to whitelist without ".UNOFFICIAL" ...
MBL_22685397

and get answer:
=======================================================
No updates detected, ClamAV databases were not reloaded
=======================================================
Signature 'MBL_22685397' has been added to my-whitelist.ign2 and
all databases have been reloaded. The script will track any changes
to the offending signature and will automatically remove it if the
signature is modified or removed from the third-party database.

The /usr/bin/clamav-unofficial-sigs.sh -w script create two new files.
/var/lib/clamav/my-whitelist.ign2
/var/lib/clamav-unofficial-sigs/configs/my-whitelist.ign2

and inside is new signiture that is whitelisted. If you have more signitures to add just run again this command "/usr/bin/clamav-unofficial-sigs.sh -w"

This is it. Thanks to put me in right direction.