On Mon, Jan 20, 2014 at 4:59 PM, Charles Swiger <cswi...@mac.com> wrote:
> Hi-- > > On Jan 20, 2014, at 1:14 PM, Anthony Magrone < > anthonymagr...@hamlinandburton.com> wrote: > > ClamAV is tagging a legitimate email stored on a file server as > containing a phishing address. Can this file be excluded from scans, or > tagged as legitimate? > > Yes; one can setup paths (or extensions) via ExcludePath directive in > clamd.conf. Or you might disable PhishingScanURLs. > > Regards, > -- > -Chuck > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > There are 3 ways you can address this on your server, depending on what you think the best choice is. (1) Skip the file Details: Add an ExcludePath line in clamd.conf to skip the file. Example row: ExcludePath /usr/home/ksoze/legitfile.mbx (2) Whitelist the file Details: Add a "local.fp" file in your signature database with a row to ignore the specific file by its hash. Details are in Section 3.8 of the signatures.pdf document for ClamAV. Example row: Ksoze-Legit-File:MD5-of-the-file (3) Whitelist that combination of actual domain and displayed domain Details: Add a "local.wdb" file in your signature database with a row to whitelist the specific URL/text combination. Details are in Section 1.3 of the phishsigs_howto.pdf document for ClamAV. Example row: M:RealDomain:DisplayedDomain There are more options. For example, turning phishing scans off or deleting the file are other valid but extreme methods. Hope this helps, Dave R. -- --- Dave Raynor Vulnerability Research Team _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
