From 1a7cae97aeabe687b815bb96456c369af30a6ee5 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 7 Apr 2022 19:58:00 +0300 Subject: [PATCH] Create u_e-clamav-whitelist.en.md --- .../ClamAV/u_e-clamav-whitelist.en.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md diff --git a/docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md b/docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md new file mode 100644 index 000000000..b244cace1 --- /dev/null +++ b/docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md @@ -0,0 +1,33 @@ +## Whitelist specific ClamAV signatures + +You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with `VIRUS_FOUND`). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.: + +```bash +docker-compose logs clamd-mailcow | grep "FOUND" +``` + +This line confirms that such was identified: + +```text +clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND +``` + +To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file: + +```bash +echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2 +``` + +Then restart the clamd-mailcow service container in the mailcow UI or using docker-compose: + +```bash +docker-compose restart clamd-mailcow +``` + +Cleanup cached ClamAV results in Redis: + +``` +# docker-compose exec redis-mailcow /bin/sh +/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL +/data # exit +```