Reducing ClamAV False Positives

Clam AV is a free, full-featured antivirus solution that's included with every SmarterMail installation. While it is great for finding, and resolving, viruses, it can generate false positives, flagging messages when no virus actually exists in the message. Many times, this is due to the message being flagged as phishing, or from a spoofed domain.  If you find out that legitimate email is being flagged, there IS a workaround. 

First, try turning off scans for phishing. This is helpful if you see lots of Heuristics.Phishing.Email.SpoofedDomain false positives in your delivery logs.

To do this you need to do the following. 

  1. Disable ClamAV by toggling off "Scan Messages" and "Scan Uploaded Files" on the ClamAV card in Settings > Antivirus.
  2. Then, go to C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\etc. (This is the default location, so your actual path may vary.)
  3. Open the Clamd.conf with a text editor
  4. Append PhishingScanURLs no to the bottom of the file. 
  5. Save the file, then re-enable ClamAV.
 Next, if you're getting different false positives you will see something like Virus: (Email.Phishing.RPMSG_Downloader-10004958-0) in your delivery logs. On that line, the item in the brackets -- Email.Phishing.RPMSG_Downloader-10004958-0 -- is the "signature". You can whitelist signatures you're seeing for legitimate email so they're no longer flagged by ClamAV. To do this, do the following:

  1. Stop the SmarterMail service.
  2. Goto C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav. (This is the default location, so your actual path may vary.)
  3. Create a file called whitelist.ign2
  4. Edit that file and enter in the signature(s) of the false positive(s), one signature per line. (E.g., Email.Phishing.RPMSG_Downloader-10004958-0)
  5. Save your file.
  6. Restart the SmarterMail service.

Once this is done, you can continually update the whitelist.ign2 file, adding more signatures as they're discovered. 


Feedback

I get these false positives several times a week for most banks.
I'm not seeing anything that looks like the signature mentioned in my Delivery Logs.

David O'Leary (1/30/2024 at 4:16 PM)
Also, there was already a sigwhitelist.ign2 in the specified directory. I'm guessing a should use that... There should be a way to whitelist a domain from the quarantine tab in the Spool.
David O'Leary (1/30/2024 at 4:24 PM)