[clamav-users] Antispam with Clamav whitelist

Marcelo Leães marcelo at eth1.com.br
Tue Nov 26 00:37:05 UTC 2019 

Macro detection appears to be experimental in MailCleaner. There is no 
configuration in the web interface that allows bypass or any other 
adjustment.

By logging CLAMD rejects the SMTP level to messages arriving with 
attached macros.

Filtering Engine:
Nov 25 16:29:18 antispam MailScanner[10768]: Clamd::INFECTED:: 
Heuristics.OLE2.ContainsMacros :: ./1iZK2u-0006hg-Bs/vbaProject.bin
Nov 25 16:29:18 antispam MailScanner[10768]: Clamd::INFECTED:: 
Heuristics.OLE2.ContainsMacros :: ./1iZK2u-0006hg-Bs/QCE 2019 - 
v1.3.xlsm
Nov 25 16:29:18 antispam MailScanner[10768]: Infected message 
1iZK2u-0006hg-Bs came from 209.85.167.170



---


Em 25/11/2019 09:01 PM, Paul Kosinski via clamav-users escreveu:
> Can "Mailcleaner" be configured to let the emails through with a
> warning appended if ClamAV finds a problem, rather than simply blocking
> them? That would perhaps be safer than simply letting them through.
> 
> For example, we use procmail and clamscan-procfilter.pl (which I
> modified a bit from the original) on our server to scan for viruses.
> This filter simply adds a header line to the email if ClamAV found a
> virus. Then a procmail rule blocks the email if there was a virus. In
> your case, you could allow the email (but leave the warning) if it came
> from your important sender (as determined by another procmail rule).
> 
> This might be a better approach as you would be informed if any emails
> came from your important sender that *do* contain an apparent virus
> (assuming hardly any do in fact contain possible viruses).
> 
> 
> On Mon, 25 Nov 2019 19:56:27 -0300
> Marcelo Leães via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
>> Of course I understand perfectly.
>> But salespeople use a lot of spreadsheets with macro automation.
>> 
>> I can not impact the customer business blocked everything.
>> Some reliable senders need to keep released.
>> 
>> Just as every day I receive multiple emails from other destinations
>> with spreadsheets and doc files clearly to exploit vulnerabilities.
>> 
>> Is there an option to implement this whitelist?
>> 
>> 
>> ---
>> 
>> 
>> Em 25/11/2019 07:47 PM, Paul Kosinski via clamav-users escreveu:
>> > I don't think that *not* scanning email from certain senders is a
>> > good idea. You may trust the person, but that doesn't mean you
>> > should trust their computer, or, for that matter, the relay
>> > computers which forward the email to you. (This is relevant since
>> > any TLS applies only to the individual hops -- it isn't usually
>> > end-to-end.)
>> >
>> > Think of it like diseases: you may fully trust your friends, but
>> > your friends could still pass on any colds or flu they might have
>> > before their symptoms become obvious.
>> >
>> >
>> > On Mon, 25 Nov 2019 17:39:00 -0300
>> > Marcelo Leães via clamav-users <clamav-users at lists.clamav.net>
>> > wrote:
>> >
>> >> I'm sorry for english I'm using translator
>> >>
>> >> I use an antispam solution called Mailcleaner that comes with
>> >> Clamav as antivirus to scan incoming emails.
>> >>
>> >> I need to block macros in received word and excel documents, but
>> >> some remententes need to release this check.
>> >>
>> >> It is possible to have an exception list so that no emails or
>> >> domains are verified, for example:
>> >>
>> >> user at domain.com
>> >> @ domain.net
>> >>
>> >> ?
>> >>
>> >>
>> >> ---
>> >>
>> >>
>> >> Em 25/11/2019 05:10 PM, G.W. Haywood via clamav-users escreveu:
>> >> > Hi there,
>> >> >
>> >> > On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:
>> >> >
>> >> >> I need to set up a whitelist with email addresses or wildcards
>> >> >> with domains that...
>> >> >
>> >> > Your requirements are unclear, please clarify.  Are you
>> >> > intending to use ClamAV only for scanning mail, and if so do you
>> >> > wish to prevent scanning for certain senders?  If so, then there
>> >> > are ways to do what you are asking, although I'm not sure that I
>> >> > would recommend it.
>> >> >
>> >> >> ... should not be verified by Clamav.
>> >> >
>> >> > I understand that you may not be writing in your first language.
>> >> >
>> >> > ClamAV does not 'verify' email addresses nor domains, but it can
>> >> > look into links which it finds in mail.  Again, I'm not sure
>> >> > that I would generally recommend that.
>> >> >
>> >> >> I couldn't find any documentation available, how should I
>> >> >> proceed?
>> >> >
>> >> > All the documentation is available on the ClamAV Website, and if
>> >> > you install ClamAV on a computer, much of it will be installed
>> >> > there too.
>> >> >
>> >> > --
>> >> >
>> >> > 73,
>> >> > Ged.
> 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list