From 1a7cae97aeabe687b815bb96456c369af30a6ee5 Mon Sep 17 00:00:00 2001
From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com>
Date: Thu, 7 Apr 2022 19:58:00 +0300
Subject: [PATCH] Create u_e-clamav-whitelist.en.md

---
 .../ClamAV/u_e-clamav-whitelist.en.md         | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md

diff --git a/docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md b/docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md
new file mode 100644
index 000000000..b244cace1
--- /dev/null
+++ b/docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md
@@ -0,0 +1,33 @@
+## Whitelist specific ClamAV signatures
+
+You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with `VIRUS_FOUND`). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.:
+
+```bash
+docker-compose logs clamd-mailcow | grep "FOUND"
+```
+
+This line confirms that such was identified:
+
+```text
+clamd-mailcow_1      | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND
+```
+
+To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file:
+
+```bash
+echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2
+```
+
+Then restart the clamd-mailcow service container in the mailcow UI or using docker-compose:
+
+```bash
+docker-compose restart clamd-mailcow
+```
+
+Cleanup cached ClamAV results in Redis:
+
+```
+# docker-compose exec redis-mailcow  /bin/sh
+/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL
+/data # exit
+```