MailScanner blocking ClamAV emails
Steve Basford
steveb_clamav at sanesecurity.com
Sat Mar 25 17:47:40 UTC 2017
YARA.r57shell_php_php.UNOFFICIAL these Yara rules can be disabled in the
official down load script... see config file... or you can put
YARA.r57shell_php_php into localwhitelist.ign2 and place in ClamAV database
folder to whitelist this Sig.
The usual issue with emailing auto-spam logs is they contain snippets of
real spam phrases so they will sometimes get hit.
Hope that helps.
Cheers,
Steve
Twitter: @sanesecurity
On 25 March 2017 16:05:18 Mark Sapiro <mark at msapiro.net> wrote:
> On 03/25/2017 08:50 AM, Walt Thiessen wrote:
>> What exactly should we whitelist? My admins claim that the only thing
>> you can whitelist in ClamAV is a signature, and they say there are no
>> signatures in the log entries to whitelist.
>
>
>
> The rule that hits is YARA.r57shell_php_php.UNOFFICIAL. The .UNOFFICIAL
> part just means it is not an 'official' clamav rule, and I'm not sure
> but I think the YARA. part just indicates its a YARA rule, but the rest
> of it should match some rule in a file in /var/lib/clamav, probably with
> a .yar or .yara extension.
>
> --
> Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
More information about the MailScanner
mailing list