Sanesecurity.Badmacro.Doc.vbfexe.UNOFFICIAL clamav false positive

microvax

Well-Known Member
Mar 4, 2021
49
4
8
Lima
cPanel Access Level
Root Administrator
I am currently having problems receiving emails from a customer because their attachments are triggering this rule in EXIM (Sanesecurity.Badmacro.Doc.vbfexe.UNOFFICIAL)
so I was wondering if there is a way to disable only the problematic rule
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Hey there! Unlike ModSecurity, there isn't a way to disable certain rules from ClamAV. It's either on or off, as the rules are internal to the application.

There is a method to report false-positives directly to the provider as outlined here:


so that is the method I would recommend to fix that issue long-term. In the mean time, you would disable the unofficial signatures using the details outlined here:

 

microvax

Well-Known Member
Mar 4, 2021
49
4
8
Lima
cPanel Access Level
Root Administrator
I did run the command "yum list installed | grep clamav-unofficial-sigs" but got no results.
Also got no results when I run "yum list installed | grep Sanesecurity.Badmacro.Doc.vbfexe.UNOFFICIAL"

However I got this result when I did run "yum list installed | grep clamav"
cpanel-clamav.x86_64 0.101.5-6.cp1186 installed
cpanel-clamav-virusdefs.x86_64 0.101.5-6.cp1186 installed
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Sorry about that - I double-checked the ClamAV tools, and while it is listed as "unofficial" it is still included in the main RPM.

I don't have a way to whitelist the checks from ClamAV for a certain address/domain, so the only option would be to disable that in general on the machine, which is obviously not ideal.
 
Thread starter Similar threads Forum Replies Date
H Security 1