2
Whitelist signatures in ClamAV
Question asked by Patrick Mattson - 11/27/2021 at 11:17 AM
Unanswered
I use some additional signatures, but some legitimate email is being flagged as a virus. From my research you can whitelist a signature so it does not scan an email against it. I am wondering two things, did I create my whitelist file(s) in the wrong folder and/or did I not put the whitelist files in the correct folder:

Running version: Build 7957 (Oct 14, 2021) 

Put the whitelist files: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav
File 1: sigwhitelist.ign2
File 2: whitelist.ign2

Both files contain the same signature names:
Dummy.Whitelist.Signature
{HEX}Malware.Expert.3xpl01t_ma.configs.dumper.0
PhishTank.Phishing.5603443
Porcupine.Malware.43226
PhishTank.Phishing.6645510
PhishTank.Phishing.6698671
PhishTank.Phishing.6686540
PhishTank.Phishing.6688600
PhishTank.Phishing.6801210
Porcupine.Phishing.51532
MiscreantPunch.INFO.NoWordsHasMacro
Porcupine.Malware.52901
SecuriteInfo.com.Spam-62816.UNOFFICIAL
SecuriteInfo.com.Spam-48869.UNOFFICIAL
SecuriteInfo.com.Spam-49581.UNOFFICIAL
SecuriteInfo.com.Spam-62859.UNOFFICIAL
SecuriteInfo.com.Spam-60951.UNOFFICIAL
SecuriteInfo.com.Spam-54293.UNOFFICIAL
SecuriteInfo.com.Spam-49577.UNOFFICIAL
SecuriteInfo.com.Spam-65584.UNOFFICIAL

1 Reply

Reply to Thread
1
Eric Tykwinski Replied
That looks like the correct location by default, and yes you can just add the name of the rule to a whitelist, or a hash to a false positive file.  Here's the ClamAV instructions: https://docs.clamav.net/manual/Signatures/AllowLists.html

I would also suggest reporting them to Cisco:http://www.clamav.net/reports/fp if it's in the main, daily or bytecode.
If it's in one of the others you can probably dig up a contact on their respective sites as well.

Reply to Thread