Help with how to remove file from clamav/clamscan when I've determined it's safe

greavette · July 15, 2021, 1:57pm

NethServer 7.9.2009
CLAMAV - fully up to date as of July 15, 2021

Daily I receive an email of my clamscan report which identified for me emails scanned are in Quarantine. I have a regular task whereby I investigate each email and determine if the emailshould be deleted or kept.

I’ve come across an email that was flagged in Quarantine with a matched rule of:

Heuristics.Phishing.Email.SSL-Spoof

I’ve determined that this email is legitimate and will be kept (not deleted). How do I tell Clamav to ignore this email the next time it runs? I’m not seeing in clamscan an obvious way to identify specific mail to have them ignored.

Thank you.

stephdl · July 15, 2021, 3:02pm

Heuristic is known for false positive, you should read the clamscan documentation and point us how to make an ignored list, I am not sure it is possible. If yes I could maybe start to code but not yet

stephdl · July 15, 2021, 3:05pm

In fact we could exclude a list of files maybe a file in quarantine could be restored or restored and ignored

No time and no hardware yet to do it.

stephdl · July 15, 2021, 3:07pm

I am scared on the lines to add

greavette · July 15, 2021, 5:38pm

Hello @stephdl,

Thanks very much for this reply.

So Clamscan works in that it can identify suspect files on my Nethserver but we have no ability yet to remove files determined to be safe? I’m curious how others on the Nethserver community are using clamscan for their security review? Do you clean up what is an infected file/mail and just leave the good items?

I’m not a developer so unfortuneately I can suggest how to help. I very much appreciate your answering my post Stephane but it appeas clamscan is missing some features that will make it very useful.

Thank you.

stephdl · August 5, 2021, 2:41pm

I think you are not alone, let me check it makes sense for me to make an exclusion

stephdl · August 6, 2021, 7:54am

on stage, I will make the feature to exclude valid files

The process will be

scan the folders
move to quarantine
in quarantine two options for each file : recover (you can go to quarantine the next time) or exclusion (recover and make the file as safe to be excluded)

what do you think ?

stephdl · August 6, 2021, 7:57am

actually it exists but only by a manual way, see the screen shot you have a textarea

stephdl · August 6, 2021, 4:33pm

stephdl · August 9, 2021, 1:43pm

released

The file once recovered, the path is added to the textarea of file/folder exclusion

greavette · August 10, 2021, 5:59pm

Hello @stephdl,

I apologize for the delay in responding to your posts. But I think the direction you are going will greatly help Nethserver be able to use Clamscan to keep our mail and documents safe!

But if you may, please confirm for me that the changes you are making will add to the Quarantine page two new options to either restore the files and recover/exclude files from further scans. This would be perfect for the usecase I brought up initially!

Can you confirm though how I update clamav on my nethserver? I have a test nethserver and I’ve received an email regarding how to update your repo using the following command:

yum update --enablerepo=stephdl

But I don’t know the command I need to use to add your new code changes to my clamscan on my test nethserver?

Thank you.

stephdl · August 10, 2021, 6:11pm

to update,whatever a test or production sever

In fact the quarantine page gets two buttons for each file, recover or recover&exclude. If excluded you add the file in textarea of the first page of clamscan.