Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Exclusions to Zimbra anti-virus

  1. #1
    Join Date
    Jul 2008
    Location
    Richmond Hill, Ontario, Canada
    Posts
    58
    Rep Power
    7

    Default Exclusions to Zimbra anti-virus

    If an email attachment got scanned as a virus, and the file did not have a
    virus in it. How do you exclude email addresses or exclusions to the
    anti-virus that zimbra is using?

  2. #2
    Join Date
    Jul 2008
    Location
    Richmond Hill, Ontario, Canada
    Posts
    58
    Rep Power
    7

    Default

    Any thoughts on this one, or reference points?

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Not really sure what you are asking ?

  4. #4
    Join Date
    Jul 2008
    Location
    Michigan, USA
    Posts
    42
    Rep Power
    7

    Default

    Was this a one time occurance? If so, I probably wouldn't worry too much about it.

    I don't think there is a way to "white list" a particular email address from being scanned for viruses. You can turn off specific file type checking, but I wouldn't recommend that.

    If you have attachments with macros or other script / exe types and those are normally blocked, try zipping them into password protected zip files and turn off blocking of encrypted archives.

  5. #5
    Join Date
    Jan 2008
    Location
    Pretoria
    Posts
    133
    Rep Power
    7

    Default

    I think that you can check the clamav signature database for the offending signature and then query the clamav people to see why it was added as a virus. There are plenty docs on the web to show you how to do it as well as the clamav documentation

  6. #6
    Join Date
    Jul 2008
    Location
    Richmond Hill, Ontario, Canada
    Posts
    58
    Rep Power
    7

    Default

    To clarify, we have a backup file that is encrypted/zipped, and zimbra's anti-virus sees it as a threat. Is there a way to make an exclusion for files being sent from a particular address? Example: All files sent from example@domain.com are safe. Something along those lines. If a file is labeled a virus, is it put into a quarantine? If so, is there a way to access the file after?

    So, basically we're trying to receive a file from an email address that is labeled a virus, but it is not.

  7. #7
    Join Date
    Jan 2008
    Location
    Pretoria
    Posts
    133
    Rep Power
    7

    Default

    Quote Originally Posted by Amin Kardan View Post
    To clarify, we have a backup file that is encrypted/zipped, and zimbra's anti-virus sees it as a threat. Is there a way to make an exclusion for files being sent from a particular address? Example: All files sent from example@domain.com are safe. Something along those lines. If a file is labeled a virus, is it put into a quarantine? If so, is there a way to access the file after?

    So, basically we're trying to receive a file from an email address that is labeled a virus, but it is not.
    I am not sure that this is possible with clamav. Neither is there an option to retrieve quarantine messages. The first thing to do is check why it is being trapped as a virus. What does the logs say?

  8. #8
    Join Date
    Jul 2008
    Location
    Richmond Hill, Ontario, Canada
    Posts
    58
    Rep Power
    7

    Default

    Which logs, and where can I locate them? I'm new to Zimbra, a step into the right direction would be appreciated.

  9. #9
    Join Date
    Jul 2008
    Location
    Michigan, USA
    Posts
    42
    Rep Power
    7

    Default

    Quote Originally Posted by Amin Kardan View Post
    To clarify, we have a backup file that is encrypted/zipped, and zimbra's anti-virus sees it as a threat. Is there a way to make an exclusion for files being sent from a particular address? Example: All files sent from example@domain.com are safe. Something along those lines. If a file is labeled a virus, is it put into a quarantine? If so, is there a way to access the file after?

    So, basically we're trying to receive a file from an email address that is labeled a virus, but it is not.
    The problem is that when clam av is unable to scan a file because it can't get past the password, it will automatically quarantine that file as a potential threat.

    In your case the easiest way to get around this, is to go to your Global Options and uncheck the "block encrypted archives". This will allow all password protected zip files to get in.

    I do not believe you can "whitelist" an email or a domain. However, even if you could, it would be VERY dangerous to do that, even if you completely trust that email or domain.

  10. #10
    Join Date
    Jan 2008
    Location
    Pretoria
    Posts
    133
    Rep Power
    7

    Default

    I think that it would be beneficial to understand how Zimbra is made up. What components are put together to produce the overall platform. The anti virus component is Clam antivirus. Clam antivirus is a signature based virus definition application. This means that when a virus is identified it is given a unique signature and added to the definition database. Every mail that comes in has it's attachments signature checked against the definition database. If there is a match then clamav thinks that it is a virus. This in turn tells postfix (via amavis) to reject the incoming message. Clamav comes with a series of tools and libraries to allow you to interrogate the definition database as well as a signature tool and if I am not mistaken you can identify the signature of your mail and remove it from the database. Or you can use clamav's web based tools to uploaded the mail and let it report why it is being trapped. It could also have something to do with max compression ratios or recursive archiving because it is a zip file, but unless you look at the logs you will not know.

    edit the file /opt/zimbra/clamav/etc/clamd.conf
    # Uncomment this option to enable logging.
    # LogFile must be writable for the user running daemon.
    # A full path is required.
    # Default: disabled
    #LogFile /tmp/clamd.log

    uncomment LogFile and restart the MTA.

Similar Threads

  1. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  2. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 11:13 AM
  3. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 09:55 AM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 04:48 PM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •