Clamav, false positive. How can I allow-whitelist the signature?

NethServer Version: NethServer release 7.9.2009 (final)
Module: antivirus (clamav)

Success in the year 2023!

For several days (end of December), clamav has been detecting certain attachments (PDF) with viruses…

Today I managed to have the files sent to Gmail and I was able to download and scan them with the antivirus in virustotal, forticlient(web scan) and in windows; in all of these the result was negative.

I’m following this thread : Clamav antivirus false positive?

In the GUI disable and reactivate the antivirus:

Then I create/added this signature on whitelist:

cat /var/lib/clamav/whitelist.ign2

But I still got this Error:

Sending of the message failed.
An error occurred while sending mail. The mail server responded: clamav: virus found: “TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL”. Please check the message and try again.

How can I be sure that the whitelist is working?

Regards and thanks.

From the logs

Jan  4 14:28:30 em clamd[6775]: instream(local): TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL FOUND
Jan  4 14:28:30 em rspamd[9941]: <592697>; lua; common.lua:110: clamav: result - virusfound: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL - score: 1"
Jan  4 14:28:30 em rspamd[9941]: <592697>; proxy; rspamd_add_passthrough_result: <>: set pre-result to 'reject' (no score): 'clamav: virus found: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL"' from clamav(1)
Jan  4 14:28:30 em rspamd[9941]: <592697>; proxy; rspamd_task_write_log: id: <>, qid: <E5759F24AC>, ip:, user: user1, from: <>, (default: T (reject): [91.12/20.00] [CLAM_VIRUS(90.00){TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL;},R_MIXED_CHARSET(1.25){subject;},GENERIC_REPUTATION(-0.52){-0.52944943431786;},R_PARTS_DIFFER(0.50){100.0%;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},FREEMAIL_ENVRCPT(0.00){;},FREEMAIL_TO(0.00){;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_ORG_HEADER(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:~;4:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 143477, time: 305.239ms, dns req: 0, digest: <1e70bf0770dea8d3552e92f748f53b36>, rcpts: <>, mime_rcpts: <>, forced: reject "clamav: virus found: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL""; score=nan (set by clamav), settings_id: authenticated
Jan  4 14:28:30 em rspamd[9941]: <592697>; proxy; rspamd_protocol_http_reply: regexp statistics: 65 pcre regexps scanned, 6 regexps matched, 172 regexps total, 14 regexps cached, 2.81KiB scanned using pcre, 2.81KiB scanned total
Jan  4 14:28:30 em postfix/cleanup[12665]: E5759F24AC: milter-reject: END-OF-MESSAGE from unknown[]: 5.7.1 clamav: virus found: "TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL"; from=<> to=<> proto=ESMTP helo=<[]>
Jan  4 14:28:30 em rspamd[9941]: <a31909>; proxy; proxy_milter_finish_handler: finished milter connection

Try it without adding the trailing .UNOFFICIAL to the signature name.
For YARA signatures, also exclude YARA from the beggining of the signature name.

You can manually run clamscan -i targetfile (where target file is a false positive for the specific signature you are whitelisting) and check that the whitelisted signature is no longer reported.

1 Like

I check the file and got this:

/root/A-2025.pdf: TwinWave.EvilPDF.QakySoWaky.221221.UNOFFICIAL FOUND

Then I added three variants of the signature, but I can’t get the antivirus to ignore them:

cat /var/lib/clamav/whitelist.ign2                                                

Maybe I need to do something else to force clamav to read this file, apart of turn off the antivirus in Mail / Filter / Antivirus?

Scratch that
I close the mail and redact a new one, this time the mail was sent.

Now I need to check what line was the correct one I write four:

cat /var/lib/clamav/whitelist.ign2

Thank you @dnutan

restart the related service

1 Like