Mailing List Archive

Hi there,

On Mon, 25 Nov 2019, Marcelo Le?es via clamav-users wrote:

> I need to set up a whitelist with email addresses or wildcards with
> domains that...

Your requirements are unclear, please clarify. Are you intending to
use ClamAV only for scanning mail, and if so do you wish to prevent
scanning for certain senders? If so, then there are ways to do what
you are asking, although I'm not sure that I would recommend it.

> ... should not be verified by Clamav.

I understand that you may not be writing in your first language.

ClamAV does not 'verify' email addresses nor domains, but it can look
into links which it finds in mail. Again, I'm not sure that I would
generally recommend that.

> I couldn't find any documentation available, how should I proceed?

All the documentation is available on the ClamAV Website, and if you
install ClamAV on a computer, much of it will be installed there too.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I'm sorry for english I'm using translator

I use an antispam solution called Mailcleaner that comes with Clamav as
antivirus to scan incoming emails.

I need to block macros in received word and excel documents, but some
remententes need to release this check.

It is possible to have an exception list so that no emails or domains
are verified, for example:

user@domain.com
@ domain.net

?


---


Em 25/11/2019 05:10 PM, G.W. Haywood via clamav-users escreveu:
> Hi there,
>
> On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:
>
>> I need to set up a whitelist with email addresses or wildcards with
>> domains that...
>
> Your requirements are unclear, please clarify. Are you intending to
> use ClamAV only for scanning mail, and if so do you wish to prevent
> scanning for certain senders? If so, then there are ways to do what
> you are asking, although I'm not sure that I would recommend it.
>
>> ... should not be verified by Clamav.
>
> I understand that you may not be writing in your first language.
>
> ClamAV does not 'verify' email addresses nor domains, but it can look
> into links which it finds in mail. Again, I'm not sure that I would
> generally recommend that.
>
>> I couldn't find any documentation available, how should I proceed?
>
> All the documentation is available on the ClamAV Website, and if you
> install ClamAV on a computer, much of it will be installed there too.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I don't think that *not* scanning email from certain senders is a good
idea. You may trust the person, but that doesn't mean you should trust
their computer, or, for that matter, the relay computers which forward
the email to you. (This is relevant since any TLS applies only to the
individual hops -- it isn't usually end-to-end.)

Think of it like diseases: you may fully trust your friends, but your
friends could still pass on any colds or flu they might have before
their symptoms become obvious.


On Mon, 25 Nov 2019 17:39:00 -0300
Marcelo Leães via clamav-users <clamav-users@lists.clamav.net> wrote:

> I'm sorry for english I'm using translator
>
> I use an antispam solution called Mailcleaner that comes with Clamav
> as antivirus to scan incoming emails.
>
> I need to block macros in received word and excel documents, but some
> remententes need to release this check.
>
> It is possible to have an exception list so that no emails or domains
> are verified, for example:
>
> user@domain.com
> @ domain.net
>
> ?
>
>
> ---
>
>
> Em 25/11/2019 05:10 PM, G.W. Haywood via clamav-users escreveu:
> > Hi there,
> >
> > On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:
> >
> >> I need to set up a whitelist with email addresses or wildcards with
> >> domains that...
> >
> > Your requirements are unclear, please clarify. Are you intending to
> > use ClamAV only for scanning mail, and if so do you wish to prevent
> > scanning for certain senders? If so, then there are ways to do what
> > you are asking, although I'm not sure that I would recommend it.
> >
> >> ... should not be verified by Clamav.
> >
> > I understand that you may not be writing in your first language.
> >
> > ClamAV does not 'verify' email addresses nor domains, but it can
> > look into links which it finds in mail. Again, I'm not sure that I
> > would generally recommend that.
> >
> >> I couldn't find any documentation available, how should I proceed?
> >
> > All the documentation is available on the ClamAV Website, and if you
> > install ClamAV on a computer, much of it will be installed there
> > too.
> >
> > --
> >
> > 73,
> > Ged.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Of course I understand perfectly.
But salespeople use a lot of spreadsheets with macro automation.

I can not impact the customer business blocked everything.
Some reliable senders need to keep released.

Just as every day I receive multiple emails from other destinations with
spreadsheets and doc files clearly to exploit vulnerabilities.

Is there an option to implement this whitelist?


---


Em 25/11/2019 07:47 PM, Paul Kosinski via clamav-users escreveu:
> I don't think that *not* scanning email from certain senders is a good
> idea. You may trust the person, but that doesn't mean you should trust
> their computer, or, for that matter, the relay computers which forward
> the email to you. (This is relevant since any TLS applies only to the
> individual hops -- it isn't usually end-to-end.)
>
> Think of it like diseases: you may fully trust your friends, but your
> friends could still pass on any colds or flu they might have before
> their symptoms become obvious.
>
>
> On Mon, 25 Nov 2019 17:39:00 -0300
> Marcelo Leães via clamav-users <clamav-users@lists.clamav.net> wrote:
>
>> I'm sorry for english I'm using translator
>>
>> I use an antispam solution called Mailcleaner that comes with Clamav
>> as antivirus to scan incoming emails.
>>
>> I need to block macros in received word and excel documents, but some
>> remententes need to release this check.
>>
>> It is possible to have an exception list so that no emails or domains
>> are verified, for example:
>>
>> user@domain.com
>> @ domain.net
>>
>> ?
>>
>>
>> ---
>>
>>
>> Em 25/11/2019 05:10 PM, G.W. Haywood via clamav-users escreveu:
>> > Hi there,
>> >
>> > On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:
>> >
>> >> I need to set up a whitelist with email addresses or wildcards with
>> >> domains that...
>> >
>> > Your requirements are unclear, please clarify. Are you intending to
>> > use ClamAV only for scanning mail, and if so do you wish to prevent
>> > scanning for certain senders? If so, then there are ways to do what
>> > you are asking, although I'm not sure that I would recommend it.
>> >
>> >> ... should not be verified by Clamav.
>> >
>> > I understand that you may not be writing in your first language.
>> >
>> > ClamAV does not 'verify' email addresses nor domains, but it can
>> > look into links which it finds in mail. Again, I'm not sure that I
>> > would generally recommend that.
>> >
>> >> I couldn't find any documentation available, how should I proceed?
>> >
>> > All the documentation is available on the ClamAV Website, and if you
>> > install ClamAV on a computer, much of it will be installed there
>> > too.
>> >
>> > --
>> >
>> > 73,
>> > Ged.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Can "Mailcleaner" be configured to let the emails through with a
warning appended if ClamAV finds a problem, rather than simply blocking
them? That would perhaps be safer than simply letting them through.

For example, we use procmail and clamscan-procfilter.pl (which I
modified a bit from the original) on our server to scan for viruses.
This filter simply adds a header line to the email if ClamAV found a
virus. Then a procmail rule blocks the email if there was a virus. In
your case, you could allow the email (but leave the warning) if it came
from your important sender (as determined by another procmail rule).

This might be a better approach as you would be informed if any emails
came from your important sender that *do* contain an apparent virus
(assuming hardly any do in fact contain possible viruses).


On Mon, 25 Nov 2019 19:56:27 -0300
Marcelo Leães via clamav-users <clamav-users@lists.clamav.net> wrote:

> Of course I understand perfectly.
> But salespeople use a lot of spreadsheets with macro automation.
>
> I can not impact the customer business blocked everything.
> Some reliable senders need to keep released.
>
> Just as every day I receive multiple emails from other destinations
> with spreadsheets and doc files clearly to exploit vulnerabilities.
>
> Is there an option to implement this whitelist?
>
>
> ---
>
>
> Em 25/11/2019 07:47 PM, Paul Kosinski via clamav-users escreveu:
> > I don't think that *not* scanning email from certain senders is a
> > good idea. You may trust the person, but that doesn't mean you
> > should trust their computer, or, for that matter, the relay
> > computers which forward the email to you. (This is relevant since
> > any TLS applies only to the individual hops -- it isn't usually
> > end-to-end.)
> >
> > Think of it like diseases: you may fully trust your friends, but
> > your friends could still pass on any colds or flu they might have
> > before their symptoms become obvious.
> >
> >
> > On Mon, 25 Nov 2019 17:39:00 -0300
> > Marcelo Leães via clamav-users <clamav-users@lists.clamav.net>
> > wrote:
> >
> >> I'm sorry for english I'm using translator
> >>
> >> I use an antispam solution called Mailcleaner that comes with
> >> Clamav as antivirus to scan incoming emails.
> >>
> >> I need to block macros in received word and excel documents, but
> >> some remententes need to release this check.
> >>
> >> It is possible to have an exception list so that no emails or
> >> domains are verified, for example:
> >>
> >> user@domain.com
> >> @ domain.net
> >>
> >> ?
> >>
> >>
> >> ---
> >>
> >>
> >> Em 25/11/2019 05:10 PM, G.W. Haywood via clamav-users escreveu:
> >> > Hi there,
> >> >
> >> > On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:
> >> >
> >> >> I need to set up a whitelist with email addresses or wildcards
> >> >> with domains that...
> >> >
> >> > Your requirements are unclear, please clarify. Are you
> >> > intending to use ClamAV only for scanning mail, and if so do you
> >> > wish to prevent scanning for certain senders? If so, then there
> >> > are ways to do what you are asking, although I'm not sure that I
> >> > would recommend it.
> >> >
> >> >> ... should not be verified by Clamav.
> >> >
> >> > I understand that you may not be writing in your first language.
> >> >
> >> > ClamAV does not 'verify' email addresses nor domains, but it can
> >> > look into links which it finds in mail. Again, I'm not sure
> >> > that I would generally recommend that.
> >> >
> >> >> I couldn't find any documentation available, how should I
> >> >> proceed?
> >> >
> >> > All the documentation is available on the ClamAV Website, and if
> >> > you install ClamAV on a computer, much of it will be installed
> >> > there too.
> >> >
> >> > --
> >> >
> >> > 73,
> >> > Ged.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Macro detection appears to be experimental in MailCleaner. There is no
configuration in the web interface that allows bypass or any other
adjustment.

By logging CLAMD rejects the SMTP level to messages arriving with
attached macros.

Filtering Engine:
Nov 25 16:29:18 antispam MailScanner[10768]: Clamd::INFECTED::
Heuristics.OLE2.ContainsMacros :: ./1iZK2u-0006hg-Bs/vbaProject.bin
Nov 25 16:29:18 antispam MailScanner[10768]: Clamd::INFECTED::
Heuristics.OLE2.ContainsMacros :: ./1iZK2u-0006hg-Bs/QCE 2019 -
v1.3.xlsm
Nov 25 16:29:18 antispam MailScanner[10768]: Infected message
1iZK2u-0006hg-Bs came from 209.85.167.170



---


Em 25/11/2019 09:01 PM, Paul Kosinski via clamav-users escreveu:
> Can "Mailcleaner" be configured to let the emails through with a
> warning appended if ClamAV finds a problem, rather than simply blocking
> them? That would perhaps be safer than simply letting them through.
>
> For example, we use procmail and clamscan-procfilter.pl (which I
> modified a bit from the original) on our server to scan for viruses.
> This filter simply adds a header line to the email if ClamAV found a
> virus. Then a procmail rule blocks the email if there was a virus. In
> your case, you could allow the email (but leave the warning) if it came
> from your important sender (as determined by another procmail rule).
>
> This might be a better approach as you would be informed if any emails
> came from your important sender that *do* contain an apparent virus
> (assuming hardly any do in fact contain possible viruses).
>
>
> On Mon, 25 Nov 2019 19:56:27 -0300
> Marcelo Leães via clamav-users <clamav-users@lists.clamav.net> wrote:
>
>> Of course I understand perfectly.
>> But salespeople use a lot of spreadsheets with macro automation.
>>
>> I can not impact the customer business blocked everything.
>> Some reliable senders need to keep released.
>>
>> Just as every day I receive multiple emails from other destinations
>> with spreadsheets and doc files clearly to exploit vulnerabilities.
>>
>> Is there an option to implement this whitelist?
>>
>>
>> ---
>>
>>
>> Em 25/11/2019 07:47 PM, Paul Kosinski via clamav-users escreveu:
>> > I don't think that *not* scanning email from certain senders is a
>> > good idea. You may trust the person, but that doesn't mean you
>> > should trust their computer, or, for that matter, the relay
>> > computers which forward the email to you. (This is relevant since
>> > any TLS applies only to the individual hops -- it isn't usually
>> > end-to-end.)
>> >
>> > Think of it like diseases: you may fully trust your friends, but
>> > your friends could still pass on any colds or flu they might have
>> > before their symptoms become obvious.
>> >
>> >
>> > On Mon, 25 Nov 2019 17:39:00 -0300
>> > Marcelo Leães via clamav-users <clamav-users@lists.clamav.net>
>> > wrote:
>> >
>> >> I'm sorry for english I'm using translator
>> >>
>> >> I use an antispam solution called Mailcleaner that comes with
>> >> Clamav as antivirus to scan incoming emails.
>> >>
>> >> I need to block macros in received word and excel documents, but
>> >> some remententes need to release this check.
>> >>
>> >> It is possible to have an exception list so that no emails or
>> >> domains are verified, for example:
>> >>
>> >> user@domain.com
>> >> @ domain.net
>> >>
>> >> ?
>> >>
>> >>
>> >> ---
>> >>
>> >>
>> >> Em 25/11/2019 05:10 PM, G.W. Haywood via clamav-users escreveu:
>> >> > Hi there,
>> >> >
>> >> > On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:
>> >> >
>> >> >> I need to set up a whitelist with email addresses or wildcards
>> >> >> with domains that...
>> >> >
>> >> > Your requirements are unclear, please clarify. Are you
>> >> > intending to use ClamAV only for scanning mail, and if so do you
>> >> > wish to prevent scanning for certain senders? If so, then there
>> >> > are ways to do what you are asking, although I'm not sure that I
>> >> > would recommend it.
>> >> >
>> >> >> ... should not be verified by Clamav.
>> >> >
>> >> > I understand that you may not be writing in your first language.
>> >> >
>> >> > ClamAV does not 'verify' email addresses nor domains, but it can
>> >> > look into links which it finds in mail. Again, I'm not sure
>> >> > that I would generally recommend that.
>> >> >
>> >> >> I couldn't find any documentation available, how should I
>> >> >> proceed?
>> >> >
>> >> > All the documentation is available on the ClamAV Website, and if
>> >> > you install ClamAV on a computer, much of it will be installed
>> >> > there too.
>> >> >
>> >> > --
>> >> >
>> >> > 73,
>> >> > Ged.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 25 Nov 2019, Marcelo Leães via clamav-users wrote:

> Macro detection appears to be experimental in MailCleaner. There is no
> configuration in the web interface that allows bypass or any other
> adjustment.
> ...

ClamAV includes a milter (unsurprisingly called 'clamav-milter') which
(if you use Sendmail, or perhaps Postfix) can be used to scan mail as
it arrives by passing the mail to a 'clamd' daemon. It is more like
a programmer's tool than a user's tool.

Clamav-milter has a facility which may at least go some way toward
doing what you want. See the man page for clamav-milter, which is
available online and from the ClamAV installation files.

I understand from your mail that MailCleaner uses clamd to scan mail,
but I do not know whether MailCleaner uses clamav-milter or not. If
it does, I guess that it would not be too difficult to reconfigure the
milter to do something like what you want. If MailCleaner does not
use clamav-milter, I guess you could reconfigure your mail server to
use it independently of MailCleaner, although that might take quite a
substantial effort.

If all else fails I have a milter which replaces clamav-milter, and
which will do whatever you want. I have been running it for several
years, but only with Sendmail. It would be a leap of faith on your
part to try to use it, and I would need to ask some questions about
your systems and their workloads to estimate the performance which
might be achieved.

As I and others have already said, to avoid scanning mail from certain
sources is to increase the available attack surface, which is already
much too big for comfort.

Please ask for clarification if I am difficult to understand. The mail
address which I use for this list rejects mail which is not sent by the
list server.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml