Discussion:
[clamav-users] Whitelisting extensions for virus scan
Johnny Time
2018-10-26 13:34:17 UTC
Permalink
Hi Folks,



We use Clamav and we wonder if we can whitelist some extensions on our
virus scan ?


For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.


Best regards,
Kris Deugau
2018-10-26 14:11:35 UTC
Permalink
Post by Johnny Time
Hi Folks,
We use Clamav and we wonder if we can whitelist some extensions on our
virus scan ?
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
If you're looking to block all files except a limited set of extensions,
this is probably better done a layer up in your mail flow. I call Clam
from MIMEDefang, for instance, so I would configure MIMEDefang to reject
mail that has any other file types attached.

However, the three you've listed can all contain malware; you really
don't want to *skip* scanning those.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Tilman Schmidt
2018-10-29 15:46:52 UTC
Permalink
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous examination.

Cheers,
Tilman

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2018-10-29 16:33:19 UTC
Permalink
Post by Tilman Schmidt
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous examination.
In my experience, the new ones aren't any better.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Jerry
2018-10-29 17:08:29 UTC
Permalink
Post by Kris Deugau
Post by Tilman Schmidt
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous examination.
In my experience, the new ones aren't any better.
We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.
--
Jerry


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Matus UHLAR - fantomas
2018-10-29 17:40:05 UTC
Permalink
Post by Jerry
Post by Kris Deugau
Post by Tilman Schmidt
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous examination.
In my experience, the new ones aren't any better.
thus, they should be checked and quarantined/refused.
Post by Jerry
We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.
wrong people may send viruses to random recipients, spreading viruses over
the world.
Happens for years...
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2018-10-29 17:47:09 UTC
Permalink
Post by Jerry
We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.
I work for an ISP, managing our mail filtering services.

There are certainly legitimate Office document files being sent around,
but there are plenty of malicious ones coming in too, and the "new"
types are no guarantee the file is safe. I certainly wouldn't exclude
them from scanning.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2018-10-29 23:34:41 UTC
Permalink
I have been seeing malware a .doc "resumé" delivered by e-mail to the ClamXAV help desk several times a week recently.

-Al-
Post by Jerry
Post by Kris Deugau
Post by Tilman Schmidt
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous examination.
In my experience, the new ones aren't any better.
We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.
Tilman Schmidt
2018-10-30 12:46:21 UTC
Permalink
Post by Kris Deugau
Post by Tilman Schmidt
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous
examination.
In my experience, the new ones aren't any better.
The "*m" ones (with macros) certainly aren't, but the "*x" ones (without
macros) have so far never caused any trouble at our site.
So we put mails with *.doc, *.xls, *.docm and *.xlsm attachments in
quarantine, only releasing them upon request after manual inspection,
but let *.docx and *.xlsx pass if the ClamAV scan turns up clean.

T.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2018-10-30 15:15:41 UTC
Permalink
Post by Tilman Schmidt
Post by Kris Deugau
Post by Tilman Schmidt
Post by Johnny Time
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous
examination.
In my experience, the new ones aren't any better.
The "*m" ones (with macros) certainly aren't, but the "*x" ones (without
macros) have so far never caused any trouble at our site.
So we put mails with *.doc, *.xls, *.docm and *.xlsm attachments in
quarantine, only releasing them upon request after manual inspection,
but let *.docx and *.xlsx pass if the ClamAV scan turns up clean.
I don't care enough to dig up what the formal spec (such as may exist)
for these files is, but I see a regular trickle of .docx and a handful
of .xlsx files that pop up a warning in OpenOffice about macros. I
don't think I've seen any .docm or .xlsm for a while.

Personally I'd be quite happy to ban them all outright, but customers
get a little grouchy when they can't send or receive documents to their
contacts...

We scan them all, quarantine the ones that hit a signature, add local
signatures as malicious examples get reported, use a handful of
third-party signatures, and advise customers to make sure they keep an
up-to-date antivirus package on their system - if only to make sure
they're also protected against non-email malware.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Continue reading on narkive:
Search results for '[clamav-users] Whitelisting extensions for virus scan' (Questions and Answers)
45
replies
Is my laptop infected by a virus/malware?
started 2015-07-12 16:24:27 UTC
security
Loading...