How to disable a specific ClamAV scan

Question asked by Scarab - 1/5/2015 at 5:08 PM

Answered

We are getting stupid amounts of "Heuristics.Phishing.Email.SpoofedDomain virus" false positives with ClamAV. For everything else it seems to do as it should with very rare instances of false positives. Question: How does one disable "Heuristics.Phishing.Email.SpoofedDomain" scans in Smartermail's ClamAV?

Using Google-fu I tried modifying the \Smartermail\Service\Clam\etc\clamd.conf to include the following line:

PhishingScanURLs no

But this doesn't seem to have done anything as we are still getting dozens of emails per hour quarantined for "Heuristics.Phishing.Email.SpoofedDomain virus".

Is there any other way to disable a particular ClamAV scan without disabling all of ClamAV in Smartermail?

8 Replies

Reply to Thread

Scarab Replied

1/15/2015 at 3:23 PM

Marked As Answer

Just a quick follow up for anyone else who may be having this problem:

A reboot of the SmarterMail Server (after Scheduled Monthly Maintenance on Patch Tuesday) successfully made the modification to clamd.conf start working the way it should. Apparently restarting the SmarterMail service was not enough, as this file seems to be cached by either SmarterMail or Windows Server itself.

So, to modify the behaviors of ClamAV in Smartermail you can use standard ClamAV parameters in the \Smartermail\Service\Clam\etc\clamd.conf file so long as you reboot the server after committing your changes.

BMark Replied

2/26/2015 at 8:38 AM

Hi Scarab,

same problem of false positives detected by ClamAV scan "Heuristics.Phishing.Email.SpoofedDomain virus"...

I thank you for sharing the solution

Opt-Out Replied

2/26/2015 at 1:44 PM

In the past I have avoided a reboot by logging in to Smartermail admin > select Security > Antivirus Administration > uncheck "Enable ClamAV" > Save.

Next I use task manager to end task on clamd.exe.

Then I append PhishingScanURLs no to clamd.conf.

Once I recheck Enable ClamAV in the Smartermail Admin and click save I see Clamd.exe starts and my new configuration is working.

Please chime in if you feel there is a downside to this procedure.

Chris Replied

5/26/2020 at 4:14 PM

Life saver! We were getting tons of false positives. I created a whitelist.ign2 file and that did not work. Thanks for posting this Scarab.

Gabriele Maoret - SERSIS Replied

5/26/2020 at 5:59 PM

Hi Chris! We don't have issues with false positives, can you give us more info?

Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

Chris Replied

5/26/2020 at 6:15 PM

We have clamav set to quarantine. It would quarantine primarily all financial institutions domain names. Such as paypal.com, chase.com, bofa.com, wellsfargo.com, citi.com All the banks, investment firms, credit card companies.

Gabriele Maoret - SERSIS Replied

5/27/2020 at 12:34 AM

Strange... we don't have issue with paypal.com (the others that you mention are simply unused here in Italy...).

I think that your better chance is to open a ticket with SmarterTools support.

David Fisher Replied

9/17/2020 at 9:58 AM

Scarab,

Thank You, I've been having to go through my virus quarantine daily and search for legit sites like :

hilton.com, searscard.com, accountonline.com, citi.com, and hotels.com

Now I am trying this, and hopefully I will have less work to do! Years ago, I had an open ticket

with SmarterTools on this, they couldn't figure out why legit emails were going into the virus

quarantine. I use offline clamav, so they couldn't provide me much support.

Thank You,

-dave

Back to Community Threads

Please leave this box unchecked

8 Replies

Reply to Thread

Tags

Related Knowledge Base Articles