[clamav-users] whitelist with clamav-milter

Ted Hatfield ted at io-tx.com
Wed Sep 26 22:34:05 UTC 2018 

On Wed, 26 Sep 2018, Jerry wrote:

> On Wed, 26 Sep 2018 14:29:25 -0500 (CDT), Ted Hatfield stated:
>> On Wed, 26 Sep 2018, Jerry wrote:
>>
>>> I am running clamav version 0.100.1 on a FreeBSD 11.2 / amd64 machine. I
>>> also have the clamav-milter installed. My problem is that even though I am
>>> trying to whitelist some addresses, they get marked as Spam.
>>>
>>> This is an example of one such address: ? Puritan's Pride
>>> <puritanspride at e.puritan.com>
>>>
>>> I entered this into the white list file: From:puritanspride at e.puritan.com
>>>
>>> I then restarted the milter. Unfortunately, the email is still marked as
>>> Spam. I thought that clamav-milter would simply ignore the file.
>>>
>>> X-Virus-Status: Infected (SecuriteInfo.com.Spam-4701.UNOFFICIAL)
>>> X-Virus-Scanned: clamav-milter 0.100.1 at scorpio.seibercom.net
>>>
>>> This is the output from "clamconf"
>>>
>>> Checking configuration files in /usr/local/etc
>>>
>>> Config file: clamd.conf
>>> -----------------------
>>> BlockMax disabled
>>> PreludeEnable disabled
>>> PreludeAnalyzerName disabled
>>> LogFile = "/var/log/clamav/clamd.log"
>>> LogFileUnlock disabled
>>> LogFileMaxSize = "1048576"
>>> LogTime disabled
>>> LogClean disabled
>>> LogSyslog disabled
>>> LogFacility = "LOG_LOCAL6"
>>> LogVerbose disabled
>>> LogRotate = "yes"
>>> ExtendedDetectionInfo disabled
>>> PidFile = "/var/run/clamav/clamd.pid"
>>> TemporaryDirectory disabled
>>> DatabaseDirectory = "/var/db/clamav"
>>> OfficialDatabaseOnly disabled
>>> LocalSocket = "/var/run/clamav/clamd.sock"
>>> LocalSocketGroup disabled
>>> LocalSocketMode disabled
>>> FixStaleSocket = "yes"
>>> TCPSocket disabled
>>> TCPAddr disabled
>>> MaxConnectionQueueLength = "200"
>>> StreamMaxLength = "26214400"
>>> StreamMinPort = "1024"
>>> StreamMaxPort = "2048"
>>> MaxThreads = "10"
>>> ReadTimeout = "120"
>>> CommandReadTimeout = "5"
>>> SendBufTimeout = "500"
>>> MaxQueue = "100"
>>> IdleTimeout = "30"
>>> ExcludePath disabled
>>> MaxDirectoryRecursion = "15"
>>> FollowDirectorySymlinks disabled
>>> FollowFileSymlinks disabled
>>> CrossFilesystems = "yes"
>>> SelfCheck = "600"
>>> DisableCache disabled
>>> VirusEvent disabled
>>> ExitOnOOM disabled
>>> AllowAllMatchScan = "yes"
>>> Foreground disabled
>>> Debug disabled
>>> LeaveTemporaryFiles disabled
>>> User = "clamav"
>>> Bytecode = "yes"
>>> BytecodeSecurity = "TrustSigned"
>>> BytecodeTimeout = "5000"
>>> BytecodeUnsigned disabled
>>> BytecodeMode = "Auto"
>>> DetectPUA disabled
>>> ExcludePUA disabled
>>> IncludePUA disabled
>>> AlgorithmicDetection = "yes"
>>> ScanPE = "yes"
>>> ScanELF = "yes"
>>> DetectBrokenExecutables disabled
>>> ScanMail = "yes"
>>> ScanPartialMessages disabled
>>> PhishingSignatures = "yes"
>>> PhishingScanURLs = "yes"
>>> PhishingAlwaysBlockCloak disabled
>>> PhishingAlwaysBlockSSLMismatch disabled
>>> PartitionIntersection disabled
>>> HeuristicScanPrecedence disabled
>>> StructuredDataDetection disabled
>>> StructuredMinCreditCardCount = "3"
>>> StructuredMinSSNCount = "3"
>>> StructuredSSNFormatNormal = "yes"
>>> StructuredSSNFormatStripped disabled
>>> ScanHTML = "yes"
>>> ScanOLE2 = "yes"
>>> OLE2BlockMacros disabled
>>> ScanPDF = "yes"
>>> ScanSWF = "yes"
>>> ScanXMLDOCS = "yes"
>>> ScanHWP3 = "yes"
>>> ScanArchive = "yes"
>>> ArchiveBlockEncrypted disabled
>>> ForceToDisk disabled
>>> MaxScanSize = "104857600"
>>> MaxFileSize = "26214400"
>>> MaxRecursion = "16"
>>> MaxFiles = "10000"
>>> MaxEmbeddedPE = "10485760"
>>> MaxHTMLNormalize = "10485760"
>>> MaxHTMLNoTags = "2097152"
>>> MaxScriptNormalize = "5242880"
>>> MaxZipTypeRcg = "1048576"
>>> MaxPartitions = "50"
>>> MaxIconsPE = "100"
>>> MaxRecHWP3 = "16"
>>> PCREMatchLimit = "100000"
>>> PCRERecMatchLimit = "5000"
>>> PCREMaxFileSize = "26214400"
>>> ScanOnAccess disabled
>>> OnAccessMountPath disabled
>>> OnAccessIncludePath disabled
>>> OnAccessExcludePath disabled
>>> OnAccessExcludeRootUID disabled
>>> OnAccessExcludeUID disabled
>>> OnAccessMaxFileSize = "5242880"
>>> OnAccessDisableDDD disabled
>>> OnAccessPrevention disabled
>>> OnAccessExtraScanning disabled
>>> DevACOnly disabled
>>> DevACDepth disabled
>>> DevPerformance disabled
>>> DevLiblog disabled
>>> DisableCertCheck disabled
>>>
>>> Config file: freshclam.conf
>>> ---------------------------
>>> LogFileMaxSize = "2097152"
>>> LogTime disabled
>>> LogSyslog disabled
>>> LogFacility = "LOG_LOCAL6"
>>> LogVerbose disabled
>>> LogRotate = "yes"
>>> PidFile = "/var/run/clamav/freshclam.pid"
>>> DatabaseDirectory = "/var/db/clamav"
>>> Foreground disabled
>>> Debug disabled
>>> UpdateLogFile = "/var/log/clamav/freshclam.log"
>>> DatabaseOwner = "clamav"
>>> Checks = "24"
>>> DNSDatabaseInfo = "current.cvd.clamav.net"
>>> DatabaseMirror = "db.US.clamav.net", "database.clamav.net"
>>> PrivateMirror disabled
>>> MaxAttempts = "3"
>>> ScriptedUpdates = "yes"
>>> TestDatabases = "yes"
>>> CompressLocalDatabase disabled
>>> ExtraDatabase disabled
>>> DatabaseCustomURL disabled
>>> HTTPProxyServer disabled
>>> HTTPProxyPort disabled
>>> HTTPProxyUsername disabled
>>> HTTPProxyPassword disabled
>>> HTTPUserAgent disabled
>>> NotifyClamd = "/usr/local/etc/clamd.conf"
>>> OnUpdateExecute disabled
>>> OnErrorExecute disabled
>>> OnOutdatedExecute disabled
>>> LocalIPAddress disabled
>>> ConnectTimeout = "30"
>>> ReceiveTimeout = "30"
>>> SafeBrowsing = "yes"
>>> Bytecode = "yes"
>>>
>>> Config file: clamav-milter.conf
>>> -------------------------------
>>> LogFile = "/var/log/clamav/clamav-milter.log"
>>> LogFileUnlock disabled
>>> LogFileMaxSize = "2097152"
>>> LogTime = "yes"
>>> LogSyslog disabled
>>> LogFacility = "LOG_LOCAL6"
>>> LogVerbose disabled
>>> LogRotate = "yes"
>>> PidFile = "/var/run/clamav/clamav-milter.pid"
>>> TemporaryDirectory disabled
>>> FixStaleSocket = "yes"
>>> MaxThreads = "10"
>>> ReadTimeout = "120"
>>> Foreground disabled
>>> User = "clamav"
>>> MaxFileSize = "26214400"
>>> ClamdSocket = "unix:/var/run/clamav/clamd.sock"
>>> MilterSocket = "/var/run/clamav/clmilter.sock"
>>> MilterSocketGroup disabled
>>> MilterSocketMode disabled
>>> LocalNet = "192.168.0.101/32", "192.168.0.192/32"
>>> OnClean = "Accept"
>>> OnInfected = "Accept"
>>> OnFail = "Defer"
>>> RejectMsg disabled
>>> AddHeader = "Add"
>>> ReportHostname disabled
>>> VirusAction disabled
>>> Chroot disabled
>>> Whitelist = "/usr/local/etc/whitelisted_addresses.txt"
>>> SkipAuthenticated = "file:/usr/local/etc/clamav_exclusions.txt"
>>> LogInfected = "basic"
>>> LogClean disabled
>>> SupportMultipleRecipients = "yes"
>>>
>>> Software settings
>>> -----------------
>>> Version: 0.100.1
>>> Optional features supported: MEMPOOL IPv6 BIGSTACK AUTOIT_EA06 BZIP2
>>> LIBXML2 PCRE JSON RAR
>>>
>>> Database information
>>> --------------------
>>> Database directory: /var/db/clamav
>>> [3rd Party] EK_Zeus.yar: 28 sigs
>>> [3rd Party] foxhole_mail.cdb: 23 sigs
>>> [3rd Party] securiteinfopdf.hdb: 3367 sigs
>>> [3rd Party] foxhole_generic.cdb: 211 sigs
>>> [3rd Party] EK_Crimepack.yar: 49 sigs
>>> [3rd Party] CVE-2010-1297.yar: 15 sigs
>>> [3rd Party] spearl.ndb: 150 sigs
>>> [3rd Party] foxhole_all.cdb: 145 sigs
>>> [3rd Party] spamimg.hdb: 184 sigs
>>> daily.cld: version 24983, sigs: 2100133, built on Tue Sep 25 22:39:15 2018
>>> [3rd Party] spear.ndb: 15009 sigs
>>> [3rd Party] spamattach.hdb: 14 sigs
>>> [3rd Party] winnow.attachments.hdb: 182 sigs
>>> [3rd Party] Maldoc_Hidden_PE_file.yar: 23 sigs
>>> [3rd Party] malware.expert.hdb: 388 sigs
>>> [3rd Party] winnow.complex.patterns.ldb: 3 sigs
>>> [3rd Party] porcupine.ndb: 4012 sigs
>>> [3rd Party] winnow_phish_complete.ndb: 9320 sigs
>>> [3rd Party] phishtank.ndb: 27161 sigs
>>> [3rd Party] scam.ndb: 12501 sigs
>>> [3rd Party] EK_ZeroAcces.yar: 211 sigs
>>> [3rd Party] foxhole_js.ndb: 4 sigs
>>> [3rd Party] securiteinfohtml.hdb: 54089 sigs
>>> [3rd Party] MiscreantPunch099-INFO-Low.ldb: 21 sigs
>>> [3rd Party] jurlbl.ndb: 17854 sigs
>>> [3rd Party] lott.ndb: 2335 sigs
>>> [3rd Party] rfxn.hdb: 12674 sigs
>>> [3rd Party] EK_Fragus.yar: 210 sigs
>>> main.cvd: version 58, sigs: 4566249, built on Wed Jun  7 17:38:10 2017
>>> [3rd Party] winnow_spam_complete.ndb: 931 sigs
>>> [3rd Party] phish.ndb: 27425 sigs
>>> [3rd Party] winnow_malware_links.ndb: 4623 sigs
>>> [3rd Party] CVE-2013-0074.yar: 17 sigs
>>> [3rd Party] sanesecurity.ftm: 170 sigs
>>> [3rd Party] securiteinfoold.hdb: 2213713 sigs
>>> [3rd Party] jurlbla.ndb: 1682 sigs
>>> [3rd Party] CVE-2010-0887.yar: 21 sigs
>>> [3rd Party] foxhole_filename.cdb: 1971 sigs
>>> [3rd Party] EK_Blackhole.yar: 453 sigs
>>> [3rd Party] EK_Phoenix.yar: 483 sigs
>>> [3rd Party] spam_marketing.ndb: 23032 sigs
>>> [3rd Party] securiteinfoandroid.hdb: 99086 sigs
>>> [3rd Party] bofhland_malware_attach.hdb: 1835 sigs
>>> [3rd Party] Sanesecurity_spam.yara: 46 sigs
>>> [3rd Party] winnow_extended_malware_links.ndb: 1 sig
>>> bytecode.cvd: version 327, sigs: 91, built on Wed Aug  8 20:43:48 2018
>>> [3rd Party] winnow_malware.hdb: 293 sigs
>>> [3rd Party] CVE-2015-5119.yar: 22 sigs
>>> [3rd Party] malwarepatrol.ndb: 0 sig
>>> [3rd Party] EK_BleedingLife.yar: 112 sigs
>>> [3rd Party] foxhole_js.cdb: 48 sigs
>>> [3rd Party] malware.expert.ndb: 855 sigs
>>> [3rd Party] winnow_extended_malware.hdb: 245 sigs
>>> [3rd Party] spam.ldb: 2 sigs
>>> [3rd Party] porcupine.hsb: 873 sigs
>>> [3rd Party] maldoc_somerules.yar: 283 sigs
>>> [3rd Party] securiteinfo.hdb: 1377783 sigs
>>> [3rd Party] rfxn.ndb: 2034 sigs
>>> [3rd Party] foxhole_all.ndb: 101 sigs
>>> [3rd Party] EK_Eleonore.yar: 165 sigs
>>> [3rd Party] scamnailer.ndb: 50995 sigs
>>> [3rd Party] shelter.ldb: 15 sigs
>>> [3rd Party] blurl.ndb: 108974 sigs
>>> [3rd Party] CVE-2013-0422.yar: 21 sigs
>>> [3rd Party] javascript.ndb: 44092 sigs
>>> [3rd Party] securiteinfoascii.hdb: 98180 sigs
>>> [3rd Party] rogue.hdb: 6761 sigs
>>> [3rd Party] malwarehash.hsb: 771 sigs
>>> [3rd Party] malware.expert.ldb: 142 sigs
>>> [3rd Party] MiscreantPunch099-Low.ldb: 1208 sigs
>>> [3rd Party] EK_Angler.yar: 283 sigs
>>> [3rd Party] Javascript_exploit_and_obfuscation.yar: 59 sigs
>>> safebrowsing.cld: version 47916, sigs: 2840247, built on Wed Sep 26
>>> 00:56:14 2018 [3rd Party] bofhland_cracked_URL.ndb: 24 sigs
>>> [3rd Party] Sanesecurity_sigtest.yara: 54 sigs
>>> [3rd Party] badmacro.ndb: 501 sigs
>>> [3rd Party] bofhland_phishing_URL.ndb: 186 sigs
>>> [3rd Party] winnow_bad_cw.hdb: 1 sig
>>> [3rd Party] bofhland_malware_URL.ndb: 60 sigs
>>> [3rd Party] CVE-2010-0805.yar: 14 sigs
>>> [3rd Party] hackingteam.hsb: 435 sigs
>>> [3rd Party] EK_Sakura.yar: 62 sigs
>>> [3rd Party] crypto.yar: 1 sig
>>> [3rd Party] malware.expert.fp: 42 sigs
>>> [3rd Party] EK_Zerox88.yar: 55 sigs
>>> Total number of signatures: 13738144
>>>
>>> Platform information
>>> --------------------
>>> uname: FreeBSD 11.2-RELEASE-p3 FreeBSD 11.2-RELEASE-p3 #0: Thu Sep  6
>>> 07:14:16 UTC 2018     roo amd64 OS: freebsd11.2, ARCH: amd64, CPU: amd64
>>> zlib version: 1.2.11 (1.2.11), compile flags: a9
>>> platform id: 0x03235c5c0800000000040201
>>>
>>> Build information
>>> -----------------
>>> Clang: 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final
>>> 326565) (4.2.1) CPPFLAGS: -I/usr/local/include
>>> CFLAGS: -O2 -pipe -march=core2  -fstack-protector -fno-strict-aliasing
>>> -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS:
>>> -O2 -pipe -march=core2 -fstack-protector -fno-strict-aliasing LDFLAGS:
>>> -lthr -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector
>>> Configure: '--libdir=/usr/local/lib' '--with-dbdir=/var/db/clamav'
>>> '--with-zlib=/usr' '--disable-clamuko' '--disable-clamav'
>>> '--enable-bigstack' '--enable-readdir_r' '--enable-gethostbyname_r'
>>> '--disable-dependency-tracking' '--disable-zlib-vcheck'
>>> '--enable-clamdtop' '--enable-xml' '--disable-experimental'
>>> '--without-iconv' '--enable-ipv6' '--with-libjson' '--enable-milter'
>>> '--with-pcre' '--disable-check' '--enable-unrar'
>>> '--with-sendmail=/usr/sbin/sendmail' '--prefix=/usr/local'
>>> '--localstatedir=/var' '--mandir=/usr/local/man' '--disable-silent-rules'
>>> '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2'
>>> 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe
>>> -march=core2  -fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -lthr
>>> -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector ' 'LIBS='
>>> 'CPPFLAGS=-I/usr/local/include' 'CPP=cpp' sizeof(void*) = 8 Engine flevel:
>>> 92, dconf: 92
>>>
>>> If some one could tell me what I am doing incorrectly, I would appreciate
>>> it.
>>>
>>> --
>>> Jerry
>
>> Jerry,
>>
>> A quick google search comes up with this information from 2009.
>>
>>> Whitelisting is NOT based on the mail header fields (To:, From:) but on
>>> the "MAIL FROM" and "RCPT TO" SMTP commands.
>>
>> Is perhaps the "MAIL FROM" not the same as the From address.
>>
>> Look at the full headers of the message for the "envelope-from" address
>> and see if it matches.
>>
>> I run clamav-milter on a freebsd 11.2-stable machine and your
>> configuration looks good to me.
>>
>> Ted Hatfield
>
> I just checked the "clamav-milter.log" and noticed that all of the addresses
> are enclosed in < > symbols. Perhaps I should use them to. I will give it a
> try.
>
> -- 
> Jerry
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


I noted that you have set in the milter config.

OnClean = "Accept"
OnInfected = "Accept"

The possibility exists that the milter scans all messages, marks all 
messages, but handles the messages in different ways.

According to the docs you can set.

# - Accept
#   The message is accepted for delivery
# - Reject
#   Immediately refuse delivery (a 5xx error is returned to the peer)
# - Defer
#   Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
#   Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
#   Like Accept but message is quarantined instead of being delivered
#

None of these says anything about what headers are added to the message.

X-Virus-Status: and X-Virus-Scanned: may be added to all of the messages 
regardless of how the milter is configured.

Ted Hatfield

More information about the clamav-users mailing list