Re: [clamav-users] whitelist with clamav-milter

Wed, 26 Sep 2018 12:30:01 -0700 

Jerry,

A quick google search comes up with this information from 2009.


Whitelisting is NOT based on the mail header fields (To:, From:) but on
the "MAIL FROM" and "RCPT TO" SMTP commands.


Is perhaps the "MAIL FROM" not the same as the From address.
Look at the full headers of the message for the "envelope-from" address and see if it matches.
I run clamav-milter on a freebsd 11.2-stable machine and your configuration looks good to me. 

Ted Hatfield



On Wed, 26 Sep 2018, Jerry wrote:


I am running clamav version 0.100.1 on a FreeBSD 11.2 / amd64 machine. I
also have the clamav-milter installed. My problem is that even though I am
trying to whitelist some addresses, they get marked as Spam.

This is an example of one such address: ? Puritan's Pride 
<puritanspr...@e.puritan.com>

I entered this into the white list file: From:puritanspr...@e.puritan.com

I then restarted the milter. Unfortunately, the email is still marked as
Spam. I thought that clamav-milter would simply ignore the file.

X-Virus-Status: Infected (SecuriteInfo.com.Spam-4701.UNOFFICIAL)
X-Virus-Scanned: clamav-milter 0.100.1 at scorpio.seibercom.net

This is the output from "clamconf"

Checking configuration files in /usr/local/etc

Config file: clamd.conf
-----------------------
BlockMax disabled
PreludeEnable disabled
PreludeAnalyzerName disabled
LogFile = "/var/log/clamav/clamd.log"
LogFileUnlock disabled
LogFileMaxSize = "1048576"
LogTime disabled
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo disabled
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory disabled
DatabaseDirectory = "/var/db/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.sock"
LocalSocketGroup disabled
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "200"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "10"
ReadTimeout = "120"
CommandReadTimeout = "5"
SendBufTimeout = "500"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "5000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "100000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
ScanOnAccess disabled
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeRootUID disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "2097152"
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/db/clamav"
Foreground disabled
Debug disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.US.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "3"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/usr/local/etc/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SafeBrowsing = "yes"
Bytecode = "yes"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogFileUnlock disabled
LogFileMaxSize = "2097152"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile = "/var/run/clamav/clamav-milter.pid"
TemporaryDirectory disabled
FixStaleSocket = "yes"
MaxThreads = "10"
ReadTimeout = "120"
Foreground disabled
User = "clamav"
MaxFileSize = "26214400"
ClamdSocket = "unix:/var/run/clamav/clamd.sock"
MilterSocket = "/var/run/clamav/clmilter.sock"
MilterSocketGroup disabled
MilterSocketMode disabled
LocalNet = "192.168.0.101/32", "192.168.0.192/32"
OnClean = "Accept"
OnInfected = "Accept"
OnFail = "Defer"
RejectMsg disabled
AddHeader = "Add"
ReportHostname disabled
VirusAction disabled
Chroot disabled
Whitelist = "/usr/local/etc/whitelisted_addresses.txt"
SkipAuthenticated = "file:/usr/local/etc/clamav_exclusions.txt"
LogInfected = "basic"
LogClean disabled
SupportMultipleRecipients = "yes"

Software settings
-----------------
Version: 0.100.1
Optional features supported: MEMPOOL IPv6 BIGSTACK AUTOIT_EA06 BZIP2 LIBXML2 
PCRE JSON RAR

Database information
--------------------
Database directory: /var/db/clamav
[3rd Party] EK_Zeus.yar: 28 sigs
[3rd Party] foxhole_mail.cdb: 23 sigs
[3rd Party] securiteinfopdf.hdb: 3367 sigs
[3rd Party] foxhole_generic.cdb: 211 sigs
[3rd Party] EK_Crimepack.yar: 49 sigs
[3rd Party] CVE-2010-1297.yar: 15 sigs
[3rd Party] spearl.ndb: 150 sigs
[3rd Party] foxhole_all.cdb: 145 sigs
[3rd Party] spamimg.hdb: 184 sigs
daily.cld: version 24983, sigs: 2100133, built on Tue Sep 25 22:39:15 2018
[3rd Party] spear.ndb: 15009 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] winnow.attachments.hdb: 182 sigs
[3rd Party] Maldoc_Hidden_PE_file.yar: 23 sigs
[3rd Party] malware.expert.hdb: 388 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] porcupine.ndb: 4012 sigs
[3rd Party] winnow_phish_complete.ndb: 9320 sigs
[3rd Party] phishtank.ndb: 27161 sigs
[3rd Party] scam.ndb: 12501 sigs
[3rd Party] EK_ZeroAcces.yar: 211 sigs
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] securiteinfohtml.hdb: 54089 sigs
[3rd Party] MiscreantPunch099-INFO-Low.ldb: 21 sigs
[3rd Party] jurlbl.ndb: 17854 sigs
[3rd Party] lott.ndb: 2335 sigs
[3rd Party] rfxn.hdb: 12674 sigs
[3rd Party] EK_Fragus.yar: 210 sigs
main.cvd: version 58, sigs: 4566249, built on Wed Jun  7 17:38:10 2017
[3rd Party] winnow_spam_complete.ndb: 931 sigs
[3rd Party] phish.ndb: 27425 sigs
[3rd Party] winnow_malware_links.ndb: 4623 sigs
[3rd Party] CVE-2013-0074.yar: 17 sigs
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] securiteinfoold.hdb: 2213713 sigs
[3rd Party] jurlbla.ndb: 1682 sigs
[3rd Party] CVE-2010-0887.yar: 21 sigs
[3rd Party] foxhole_filename.cdb: 1971 sigs
[3rd Party] EK_Blackhole.yar: 453 sigs
[3rd Party] EK_Phoenix.yar: 483 sigs
[3rd Party] spam_marketing.ndb: 23032 sigs
[3rd Party] securiteinfoandroid.hdb: 99086 sigs
[3rd Party] bofhland_malware_attach.hdb: 1835 sigs
[3rd Party] Sanesecurity_spam.yara: 46 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig
bytecode.cvd: version 327, sigs: 91, built on Wed Aug  8 20:43:48 2018
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] CVE-2015-5119.yar: 22 sigs
[3rd Party] malwarepatrol.ndb: 0 sig
[3rd Party] EK_BleedingLife.yar: 112 sigs
[3rd Party] foxhole_js.cdb: 48 sigs
[3rd Party] malware.expert.ndb: 855 sigs
[3rd Party] winnow_extended_malware.hdb: 245 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] porcupine.hsb: 873 sigs
[3rd Party] maldoc_somerules.yar: 283 sigs
[3rd Party] securiteinfo.hdb: 1377783 sigs
[3rd Party] rfxn.ndb: 2034 sigs
[3rd Party] foxhole_all.ndb: 101 sigs
[3rd Party] EK_Eleonore.yar: 165 sigs
[3rd Party] scamnailer.ndb: 50995 sigs
[3rd Party] shelter.ldb: 15 sigs
[3rd Party] blurl.ndb: 108974 sigs
[3rd Party] CVE-2013-0422.yar: 21 sigs
[3rd Party] javascript.ndb: 44092 sigs
[3rd Party] securiteinfoascii.hdb: 98180 sigs
[3rd Party] rogue.hdb: 6761 sigs
[3rd Party] malwarehash.hsb: 771 sigs
[3rd Party] malware.expert.ldb: 142 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1208 sigs
[3rd Party] EK_Angler.yar: 283 sigs
[3rd Party] Javascript_exploit_and_obfuscation.yar: 59 sigs
safebrowsing.cld: version 47916, sigs: 2840247, built on Wed Sep 26 00:56:14 
2018
[3rd Party] bofhland_cracked_URL.ndb: 24 sigs
[3rd Party] Sanesecurity_sigtest.yara: 54 sigs
[3rd Party] badmacro.ndb: 501 sigs
[3rd Party] bofhland_phishing_URL.ndb: 186 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] bofhland_malware_URL.ndb: 60 sigs
[3rd Party] CVE-2010-0805.yar: 14 sigs
[3rd Party] hackingteam.hsb: 435 sigs
[3rd Party] EK_Sakura.yar: 62 sigs
[3rd Party] crypto.yar: 1 sig
[3rd Party] malware.expert.fp: 42 sigs
[3rd Party] EK_Zerox88.yar: 55 sigs
Total number of signatures: 13738144

Platform information
--------------------
uname: FreeBSD 11.2-RELEASE-p3 FreeBSD 11.2-RELEASE-p3 #0: Thu Sep  6 07:14:16 
UTC 2018     roo amd64
OS: freebsd11.2, ARCH: amd64, CPU: amd64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x03235c5c0800000000040201

Build information
-----------------
Clang: 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565) 
(4.2.1)
CPPFLAGS: -I/usr/local/include
CFLAGS: -O2 -pipe -march=core2  -fstack-protector -fno-strict-aliasing   
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -pipe -march=core2 -fstack-protector -fno-strict-aliasing
LDFLAGS: -lthr -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector
Configure: '--libdir=/usr/local/lib' '--with-dbdir=/var/db/clamav' 
'--with-zlib=/usr' '--disable-clamuko' '--disable-clamav' '--enable-bigstack' 
'--enable-readdir_r' '--enable-gethostbyname_r' '--disable-dependency-tracking' 
'--disable-zlib-vcheck' '--enable-clamdtop' '--enable-xml' 
'--disable-experimental' '--without-iconv' '--enable-ipv6' '--with-libjson' 
'--enable-milter' '--with-pcre' '--disable-check' '--enable-unrar' 
'--with-sendmail=/usr/sbin/sendmail' '--prefix=/usr/local' 
'--localstatedir=/var' '--mandir=/usr/local/man' '--disable-silent-rules' 
'--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2' 
'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -march=core2  
-fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -lthr -L/usr/local/lib 
-Wl,-rpath,/usr/local/lib -fstack-protector ' 'LIBS=' 
'CPPFLAGS=-I/usr/local/include' 'CPP=cpp'
sizeof(void*) = 8
Engine flevel: 92, dconf: 92

If some one could tell me what I am doing incorrectly, I would appreciate it.

--
Jerry
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to