This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree
Skip to end of metadata
Go to start of metadata

If you have deployed ClamAVPlugin and now you want to get a different score based on threat type, you can replace your with the following version.

Security Warning

Note that, since ClamAV reports only one threat type for each email even if the email has more threats, if you assign different scores to different threats you could only get the lowest score of these threats, leading to email bypass! For example, if you set a score of 20.0 to virus and a score of 2.0 to MSRBL and an email has both, you could get only the 2.0 score!

Score should take in account ClamAV priorities:

  • phishing signatures have a higher priority than phishing heuristics;
  • TODO: find and add other priorities in ClamAV.


loadplugin ClamAV
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001

# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,30}Phishing/i
header __CLAMAV_PHISH_HEUR X-Spam-Virus =~ /Yes.{1,30}Phishing\.Heuristics\.Email/
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,30}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,30}MSRBL/
header __CLAMAV_VX X-Spam-Virus =~ /Yes.{1,30}VX\./

# Give the above rules a very late priority so that they can see the output
# of previous rules - otherwise they don't work! Not sure what the correct
# priority should be but this seems to work...
priority __CLAMAV_PHISH 9999
priority __CLAMAV_PHISH_HEUR 9999
priority __CLAMAV_SANE 9999
priority __CLAMAV_MBL 9999
priority __CLAMAV_MSRBL 9999
priority __CLAMAV_VX 9999

# Work out what ClamAV detected and score accordingly

# ClamAV general signatures
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 20.0

# ClamAV phishing signatures
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 10.0

# ClamAV phishing with heuristic engine (not signatures based, may lead to false positives)
# Available since ClamAV 0.91
describe CLAMAV_PHISH_HEUR Phishing email found by ClamAV heuristic engine

# ClamAV SaneSecurity signatures from
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5

# ClamAV MBL signatures from
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 7.5

# ClamAV MSRBL signatures from
describe CLAMAV_MSRBL SPAM found by ClamAV MSRBL signatures
score CLAMAV_MSRBL 2.0

# ClamAV VX malware signatures from
describe CLAMAV_VX Malware found by VX signatures
score CLAMAV_VX 5.0
  • No labels