|Main Archive Page > Month Archives > clamav-users archives|
On Mon, Jan 20, 2014 at 4:59 PM, Charles Swiger <firstname.lastname@example.org> wrote:
> On Jan 20, 2014, at 1:14 PM, Anthony Magrone <
> email@example.com> wrote:
> > ClamAV is tagging a legitimate email stored on a file server as
> containing a phishing address. Can this file be excluded from scans, or
> tagged as legitimate?
> Yes; one can setup paths (or extensions) via ExcludePath directive in
> clamd.conf. Or you might disable PhishingScanURLs.
> Help us build a comprehensive ClamAV guide:
There are 3 ways you can address this on your server, depending on what you
think the best choice is.
(1) Skip the file
Details: Add an ExcludePath line in clamd.conf to skip the file.
(2) Whitelist the file
Details: Add a "local.fp" file in your signature database with a row to
ignore the specific file by its hash. Details are in Section 3.8 of the
signatures.pdf document for ClamAV.
(3) Whitelist that combination of actual domain and displayed domain
Details: Add a "local.wdb" file in your signature database with a row to
whitelist the specific URL/text combination. Details are in Section 1.3 of
the phishsigs_howto.pdf document for ClamAV.
There are more options. For example, turning phishing scans off or deleting
the file are other valid but extreme methods.
Hope this helps,
-- --- Dave Raynor Vulnerability Research Team _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml