[SOLVED] whitelist clamav?

[killmasta93]

Hi
Currently trying to whitelist on clamav but it does not seem to be working

these are the steps i took

echo "PUA.Pdf.Trojan.EmbeddedJavaScript-1" | sudo tee /var/lib/clamav/whitelist.ign2

then restarted the server

not sure what else to do?

Thank you

 

[hata_ph]

I try whitelist eicar and it work with below .ign2 file. Remember to ignore the .UNOFFICIAL word.

Run chown clamav:clamav /var/lib/clamav/my_whitelist.ign2, just to be sure.

{HEX}EICAR.TEST
{HEX}EICAR.TEST.3
Win.Test.EICAR_HDB-1
{MD5}EICAR.TEST.3.59
Eicar-Test-Signature
Win.Test.EICAR_HSB-1
Eicar-Signature

https://www.securiteinfo.com/services/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml

 

[killmasta93]

Thanks for the reply, trying to do the following but still doesn't work i restarted the server also

root@mail:~# cat /var/lib/clamav/whitelist.ign2
YARA.davivienda
root@mail:~# ls -l -h  /var/lib/clamav/whitelist.ign2
-rw-r--r-- 1 clamav clamav 16 Jan  6 23:32 /var/lib/clamav/whitelist.ign2

im getting the alert

Rule: Virus Alert
  Receiver: myemail@mydomain.com
  Action: block message
  Action: notify __ADMIN__
  Action: notify __SENDER__


Virus Info: YARA.davivienda.UNOFFICIAL (clamav)

 

[hata_ph]

Did you try whitelist eicar with an eicar test mail?

do you have the yara virus files? Try run clamscan -i your_virus_files and show the output.

 

[killmasta93]

thanks for the reply, this is what i get

root@mail:~# clamscan -i test.eml
test.eml: YARA.davivienda.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 11175625
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.08 MB
Data read: 0.16 MB (ratio 0.50:1)
Time: 57.826 sec (0 m 57 s)

 

[hata_ph]

did you test using the eicar?
pls share your test.eml.

 

[killmasta93]

sure this is the email

https://pastebin.com/s8EKaP46

 

[hata_ph]

I try download https://pastebin.com/raw/s8EKaP46 and test with clamscan, no detect virus. pls double confirm.

root@pmg:~# clamscan test.eml
/root/test.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 11037408
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.25:1)
Time: 23.353 sec (0 m 23 s)
root@pmg:~#

 

[killmasta93]

thanks for the reply, the thing is that i have the repo of clamav unofficial-sigs
which has the YARA rules which i cant seem to whitelist it

https://github.com/extremeshok/clamav-unofficial-sigs

 

[hata_ph]

First, can you whitelist eicar?

 

[killmasta93]

thanks for the reply, after a while i had to disable the YARA rules which i did the following

nano /etc/clamav-unofficial-sigs/master.conf


and find lines and change to this

yararulesproject_enabled="no"

enable_yararules="no"