Exclude sender domains from clam-av? RSS

1

Hello,

We have clam-av set up and functioning very well for many years. Now, a big client of ours sends a weekly excel file, which always trips clam-av. This delays the excel file from getting to the end users, it's dumped into a review mailbox for human eyes to see.

I have whitelisted the sender domain in ORF, but clam-av (external agent blacklist) still blocks it and causes it to be redirected for review.

How can i whitelist a sender domain, or otherwise stop clam-av from triggering off this excel file?

Note: the client is sending a .xlsm file, macro-enabled excel document. We can't make the sender change their format.

by Bryon 1 month ago
2

@Bryon: Hello Bryon,

The 'External Agents' test is one of the filters that takes precedence over most of the whitelist tests of ORF by default – more on this at https://vamsoft.com/r?o-hto-adm-whitelisttestexceptions. This means that any external agent that is connected to ORF can blacklist an incoming email before a whitelist test could exclude it from filtering. This can be changed, however, by clearing the 'External Agents Test' checkbox in the Whitelist Test Exceptions dialog (Filtering > Tests > Whitelist Test Exceptions > Configure – at the bottom of the page), in the 'ORF Administration Tool'. You will also have to save the configuration in order to apply the new settings ('Ctrl + S' or 'File > Save Configuration').

Note that the change described above will affect all external agents and most of the whitelists tests, so you should make sure that you are okay with whitelisted emails being exempted from external agent tests.

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)

3

Thank you for such a clear response, this looks like it will work perfectly..

I also found a setting in the clam-av configuration file where i can exclude OLE macros from testing inside of clam-av.

I like your setting better because there's less of a chance that a whitelisted sender will send something malicious, it's more likely that an unknown sender will send an infected macro office document

ORF is by far the best product we've ever purchased, hands down.

by Bryon 1 month ago
4

@Bryon: Thank you for the compliment Byron, it is always a pleasure to receive positive feedback on our work :)

ClamAV can certainly block OLE files that contain macros (though, this feature is disabled by default), but it can do even more. If you are interested, you can explore additional ClamAV configuration options at http://linux.die.net/man/5/clamd.conf

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed