Disable spamd / clamav rule for outgoing spamcheck

MichaelLoungeIT

Registered
May 21, 2019
3
0
1
Switzerland
cPanel Access Level
DataCenter Provider
Hi there,

I have the following problem.
A client tries to send an html mail and it fails with this error message:

SMTP Fehler: [550] This message contains a virus or other harmful content
(example.com.Spam-3504.UNOFFICIAL)


I tried to whitelist this entry:
example.com
in clamav to /var/lib/clamav/whitelist.ign2

didnt help.
Then I tried to add to whitelist the domain in /etc/mail/spamassassin/local.cf
-> also no success

last try I created a /etc/skiprbldomains file with the domain added in there..
restartet all services.. still no success ;(

I have no further ideas.
How can I make sure, that my client can send out the html mail and surpasses somehow the outgoing check or atleast whitelists that special case.. but i cannot find out how.
 
Last edited by a moderator:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
Hi @MichaelLoungeIT


If you're trying to whitelist the user (you can't do the domain) you'd do it in the clamd.conf located at /usr/local/cpanel/3rdparty/etc/clamd.conf.

You'd change the option/s as follows:

Code:
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan.  Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no

Code:
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan.  Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1

If you're trying to whitelist a signature that's the portioin you'd do in the whitelist.ign

You'd want to run clamscan against the file:
Code:
/usr/local/cpanel/3rdparty/bin/clamscan -i /users/file.ext
Which should return the specific signature

Then add the signature found to the whitelist you created

Once it's added restart clamd:

Code:
/scripts/restartsrv_clamd
Then run

Code:
/usr/local/cpanel/3rdparty/bin/clamscan -i /users/file.ext
against the file again

Thanks!
 

MichaelLoungeIT

Registered
May 21, 2019
3
0
1
Switzerland
cPanel Access Level
DataCenter Provider
the problem is.. It is an email, that somebody tries to send. So there is no File i can run against clam to get a correct signature.
All i have, is that error message thrown by webmail when trying to send the email.
 

sneader

Well-Known Member
Aug 21, 2003
1,168
53
178
La Crosse, WI
cPanel Access Level
Root Administrator
For anyone that is using this thread as a guide for how to whitelist a false-positive ClamAV rule that is blocking incoming file attachment emails, the CORRECT directory to put your whitelist rule is in:

/usr/local/cpanel/3rdparty/share/clamav/

The original post says /var/lib/clamav/, and many online references also mention this directory, but in the cPanel environment, it will not work to put the whitelist.ign2 file there.

- Scott