<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Arial">What exactly should we whitelist? My admins
claim that the only thing you can whitelist in ClamAV is a
signature, and they say there are no signatures in the log entries
to whitelist.</font><br>
</p>
<br>
<div class="moz-cite-prefix">On 3/25/2017 7:46 AM, Jerry Benton
wrote:<br>
</div>
<blockquote
cite="mid:1169BA6C-F424-470A-BB53-E8E732F44169@mailborder.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Sane Security: <a moz-do-not-send="true"
href="http://sanesecurity.com/usage/signatures/" class="">http://sanesecurity.com/usage/signatures/</a>
<div class=""><br class="">
</div>
<div class="">Did you add those rules to freshclam.conf ?</div>
<div class=""><br class="">
</div>
<div class="">Regardless, you need to whitelist at the clam level,
not MailScanner. <br class="">
<div class="">
<div style="color: rgb(0, 0, 0); font-family: Tahoma;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;"><br class="">
-<br class="">
Jerry Benton<br class="">
<a moz-do-not-send="true" href="http://www.mailborder.com"
class="">www.mailborder.com</a><br class="">
+1 - 844-436-6245<br class="">
<br class="">
<br class="">
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Mar 25, 2017, at 7:45 AM, Walt Thiessen
<<a moz-do-not-send="true" href="mailto:wt@dld2000.com"
class="">wt@dld2000.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<p class=""><font class="" face="Arial">I'm not sure
what a Sane rule is.</font><br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 3/25/2017 7:40 AM, Jerry
Benton wrote:<br class="">
</div>
<blockquote
cite="mid:5CE5EE75-D3E0-4E9E-BCC4-3B7125BCC0D4@mailborder.com"
type="cite" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
Whitelisting in MailScanner. Whitelisting is for spam
checks. You will need to whitelist in clamav. It looks
like a Sane rule is catching it?<br class="">
<div class="">
<div style="font-family: Tahoma; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class=""><br
class="">
-<br class="">
Jerry Benton<br class="">
<a moz-do-not-send="true"
href="http://www.mailborder.com/" class="">www.mailborder.com</a><br
class="">
+1 - 844-436-6245<br class="">
<br class="">
<br class="">
</div>
</div>
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Mar 25, 2017, at 7:38 AM, Walt
Thiessen <<a moz-do-not-send="true"
href="mailto:wt@dld2000.com" class="">wt@dld2000.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">I have MailScanner set to check
all inbound and outbound email using ClamAV.<br
class="">
<br class="">
I have ClamAV set up to send me an email each
day informing me of any possible infections.<br
class="">
<br class="">
For about a week or two now, this email has
failed to arrive.<br class="">
<br class="">
My admins found the problem. ClamAV is
apparently blocking itself via MailScanner.<br
class="">
<br class="">
From the maillog:<br class="">
<br class="">
[root@server ~]# grep 1cqtVW-0002rF-UX
/var/log/maillog<br class="">
Mar 22 23:33:50 server MailScanner: Filename
Checks: Allowing 1cqtVW-0002rF-UX
clamav-2017-03-22.log (no rule matched)<br
class="">
Mar 22 23:33:51 server MailScanner: Filetype
Checks: Allowing 1cqtVW-0002rF-UX
clamav-2017-03-22.log<br class="">
Mar 22 23:33:51 server MailScanner:
Clamd::INFECTED::
YARA.r57shell_php_php.UNOFFICIAL ::
./1cqtVW-0002rF-UX/clamav-2017-03-22.log<br
class="">
Mar 22 23:33:51 server MailScanner: Infected
message 1cqtVW-0002rF-UX came from 127.0.0.1<br
class="">
Mar 22 23:33:51 server MailScanner:
1cqtVW-0002rF-UX: Received for MailControl
Database<br class="">
Mar 22 23:33:51 server MailScanner:
1cqtVW-0002rF-UX: MailControl cannot insert
row:
%%C7RPN1O2FYP5LGSYVTBFOC2X10OGEDRXXIPRGRGJJJI5KDWFI8S<br
class="">
<br class="">
We tried whitelisting root@server or
127.0.0.1, but it didn't help.<br class="">
<br class="">
Any ideas?<br class="">
<br class="">
Walt<br class="">
<br class="">
<br class="">
-- <br class="">
MailScanner mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:mailscanner@lists.mailscanner.info"
class="">mailscanner@lists.mailscanner.info</a><br
class="">
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br
class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
</blockquote>
<br class="">
</div>
<br class="">
<br class="">
-- <br class="">
MailScanner mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:mailscanner@lists.mailscanner.info"
class="">mailscanner@lists.mailscanner.info</a><br
class="">
<a class="moz-txt-link-freetext" href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br
class="">
<br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>