ClamAV whitelist e-mail address

Bdzzld · Sep 10, 2018

Hi,

ClamAV sometimes blocks e-mails sent from my installed firewall (CSF/LFD) due to :

Code:

[email protected]
    (generated from [email protected])
    host mydomain.ext [xx.xx.xx.xxx]
    SMTP error from remote mail server after end of data:
    550-This message contains a virus or other harmful content
    550 (YARA.eval_post.UNOFFICIAL)

I was wondering if it's possible to whitelist (or another sort of bypass) e-mail addresses (to or from) so such e-mails are not being scanned by ClamAV and are delivered normally.

Thanks.

cPanelLauren · Sep 12, 2018

Hi @Bdzzld

Whitelisting in the way you're referencing isn't possible - you'd need to disable the rule that is causing the issue. You can read about configuring ClamAV here:
Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation

If you have the full ClamAV product installed it may be possible to whitelist specific email addresses though I would suggest reading their documentation on this: ClamavNet

Thanks!

rpvw · Sep 12, 2018

Not exactly the same, but it's another YARA issue, you might like to reference the following thread New Thread - Bypassing ClamAV Scan question

Bdzzld · Sep 12, 2018

Well,

I think it's fixed by going to:

Code:

WHM >> Plugins >> Configure ClamAV >> User Configuration >> Configure Individual Scan Preferences

and then deselecting "Scan Mail" for the [email protected] cPanel user.

Will see if that works... Luckily we occasionally receive such an e-mail from the firewall.

rpvw · Sep 12, 2018

Bdzzld said:
I think it's fixed

I'm not sure it is exactly fixed ! You are just treating the symptom, and not the issue, by NOT scanning any mail for any account under that user.

Whilst this should stop the mails that may well be false positives, it will have consequences of NOT protecting any of the mail boxes for that user from ANY malware payloads.

Personally, I would put up with an occasional mail about a false positive, to ensure I didn't miss something that might prove to be entirely more destructive.

Bdzzld · Sep 13, 2018

@rpvw: I understand what you mean. However, e-mail is not only scanned by ClamAV before it's actually downloaded. We also use MailWasher Pro before and ESET Smart Security during download. So this may not be a suitable option for the majority, but it is for us now.

cPanelLauren · Sep 14, 2018

Hi @Bdzzld

While I do agree with @rpvw's sentiments on this issue I am happy you were able to employ a solution that worked for you. Thank you for letting us know!

Thread starter	Similar threads	Forum	Replies	Date
M	Can ImmunifyAV be used as (additional) antivirus engine for mail-scanning in addition to clamav	Email	1	Feb 3, 2022
T	ClamAv Freshclam database not updateing	Email	3	Sep 8, 2020
M	Some questions about Exim and ClamAV	Email	3	Aug 21, 2020
N	Is Cpanel Still Auto Updating Clamav?	Email	6	Jan 30, 2020
N	Yara rule with uint32be not allowed by clamAV provided by cPanel	Email	1	Oct 30, 2019

Search

Search

ClamAV whitelist e-mail address

Bdzzld

Well-Known Member

cPanelLauren

Product Owner

rpvw

Well-Known Member

Bdzzld

Well-Known Member

rpvw

Well-Known Member

Bdzzld

Well-Known Member

cPanelLauren

Product Owner