How to disable a specific ClamAV scan
Question asked by Scarab - 1/5/2015 at 5:08 PM
Answered
We are getting stupid amounts of "Heuristics.Phishing.Email.SpoofedDomain virus" false positives with ClamAV. For everything else it seems to do as it should with very rare instances of false positives. Question: How does one disable "Heuristics.Phishing.Email.SpoofedDomain" scans in Smartermail's ClamAV?
 
Using Google-fu I tried modifying the \Smartermail\Service\Clam\etc\clamd.conf to include the following line:
 
PhishingScanURLs no
 
But this doesn't seem to have done anything as we are still getting dozens of emails per hour quarantined for "Heuristics.Phishing.Email.SpoofedDomain virus".
 
Is there any other way to disable a particular ClamAV scan without disabling all of ClamAV in Smartermail?
 
 

8 Replies

Reply to Thread
1
Scarab Replied
Marked As Answer
Just a quick follow up for anyone else who may be having this problem:
 
A reboot of the SmarterMail Server (after Scheduled Monthly Maintenance on Patch Tuesday) successfully made the modification to clamd.conf start working the way it should. Apparently restarting the SmarterMail service was not enough, as this file seems to be cached by either SmarterMail or Windows Server itself.
 
So, to modify the behaviors of ClamAV in Smartermail you can use standard ClamAV parameters in the \Smartermail\Service\Clam\etc\clamd.conf file so long as you reboot the server after committing your changes.
0
BMark Replied
Hi Scarab,
 
same problem of false positives detected by ClamAV scan  "Heuristics.Phishing.Email.SpoofedDomain virus"...
 
I thank you for sharing the solution
1
Opt-Out Replied
<proceed at your own risk>
In the past I have avoided a reboot by logging in to Smartermail admin > select Security > Antivirus Administration > uncheck "Enable ClamAV" > Save.
Next I use task manager to end task on clamd.exe.
 
Then I append PhishingScanURLs no to clamd.conf.
 
Once I recheck Enable ClamAV in the Smartermail Admin and click save I see Clamd.exe starts and my new configuration is working.
 
Please chime in if you feel there is a downside to this procedure.
0
Chris Replied
Life saver! We were getting tons of false positives. I created a whitelist.ign2 file and that did not work. Thanks for posting this Scarab.
0
Hi Chris! We don't have issues with false positives, can you give us more info?

0
Chris Replied
We have clamav set to quarantine. It would quarantine primarily all financial institutions domain names. Such as paypal.com, chase.com, bofa.com, wellsfargo.com, citi.com All the banks, investment firms, credit card companies. 
0
Strange... we don't have issue with paypal.com (the others that you mention are simply unused here in Italy...).

I think that your better chance is to open a ticket with SmarterTools support.
0
David Fisher Replied
Scarab,

  Thank You, I've been having to go through my virus quarantine daily and search for legit sites like :

hilton.com, searscard.com, accountonline.com, citi.com, and hotels.com

   Now I am trying this, and hopefully I will have less work to do!  Years ago, I had an open ticket
with SmarterTools on this, they couldn't figure out why legit emails were going into the virus
quarantine.  I use offline clamav, so they couldn't provide me much support.

Thank You,
-dave

Reply to Thread