clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] File exclusion

Re: [clamav-users] File exclusion

From: David Raynor <draynor_at_nospam>
Date: Mon Jan 20 2014 - 23:52:50 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>

On Mon, Jan 20, 2014 at 4:59 PM, Charles Swiger <cswiger@mac.com> wrote:

> Hi--
>
> On Jan 20, 2014, at 1:14 PM, Anthony Magrone <
> anthonymagrone@hamlinandburton.com> wrote:
> > ClamAV is tagging a legitimate email stored on a file server as
> containing a phishing address. Can this file be excluded from scans, or
> tagged as legitimate?
>
> Yes; one can setup paths (or extensions) via ExcludePath directive in
> clamd.conf. Or you might disable PhishingScanURLs.
>
> Regards,
> --
> -Chuck
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>

There are 3 ways you can address this on your server, depending on what you
think the best choice is.

(1) Skip the file
Details: Add an ExcludePath line in clamd.conf to skip the file.
Example row:
ExcludePath /usr/home/ksoze/legitfile.mbx

(2) Whitelist the file
Details: Add a "local.fp" file in your signature database with a row to
ignore the specific file by its hash. Details are in Section 3.8 of the
signatures.pdf document for ClamAV.
Example row:
Ksoze-Legit-File:MD5-of-the-file

(3) Whitelist that combination of actual domain and displayed domain
Details: Add a "local.wdb" file in your signature database with a row to
whitelist the specific URL/text combination. Details are in Section 1.3 of
the phishsigs_howto.pdf document for ClamAV.
Example row:
M:RealDomain:DisplayedDomain

There are more options. For example, turning phishing scans off or deleting
the file are other valid but extreme methods.

Hope this helps,

Dave R.

-- --- Dave Raynor Vulnerability Research Team _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml