Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

exceptions where?

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


lconrad at Go2France

Aug 14, 2009, 6:53 AM

Post #1 of 7 (1225 views)
Permalink
exceptions where?
All my users' headline alerts from NYTIMES.com got blocked for:

status=VIRUS:Phishing.Heuristics.Email.SpoofedDomain

... this filter also catching true positives, so we'd like to keep it.

In the man pages for clamd and clamsmtpd, I can't find any doc on whitelisting, although clamsmtpd console logs "empty" for 3 lists at start up.

thanks
Len





_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


lconrad at Go2France

Aug 14, 2009, 9:25 AM

Post #2 of 7 (1156 views)
Permalink
Re: exceptions where? [In reply to]
---------- Original Message ----------------------------------
From: "Len Conrad" <lconrad [at] Go2France>
Reply-To: ClamAV users ML <clamav-users [at] lists>
Date: Fri, 14 Aug 2009 15:53:44 +0200

>
>All my users' headline alerts from NYTIMES.com got blocked for:
>
>status=VIRUS:Phishing.Heuristics.Email.SpoofedDomain
>
>... this filter also catching true positives, so we'd like to keep it.
>
>In the man pages for clamd and clamsmtpd, I can't find any doc on whitelisting, although clamsmtpd console logs "empty" for 3 lists at start up.
>
>thanks
>Len

I found Ralph's blog page for moving sig's to local.ign, but grep can't find the sig that's giving us FPs:

Phishing.Heuristics.Email.SpoofedDomain

thanks
Len

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Aug 15, 2009, 1:51 AM

Post #3 of 7 (1140 views)
Permalink
Re: exceptions where? [In reply to]
On 2009-08-14 19:25, Len Conrad wrote:
> ---------- Original Message ----------------------------------
> From: "Len Conrad" <lconrad [at] Go2France>
> Reply-To: ClamAV users ML <clamav-users [at] lists>
> Date: Fri, 14 Aug 2009 15:53:44 +0200
>
>
>> All my users' headline alerts from NYTIMES.com got blocked for:
>>
>> status=VIRUS:Phishing.Heuristics.Email.SpoofedDomain
>>
>> ... this filter also catching true positives, so we'd like to keep it.
>>
>> In the man pages for clamd and clamsmtpd, I can't find any doc on whitelisting, although clamsmtpd console logs "empty" for 3 lists at start up.
>>
>> thanks
>> Len
>>
>
> I found Ralph's blog page for moving sig's to local.ign, but grep can't find the sig that's giving us FPs:
>
> Phishing.Heuristics.Email.SpoofedDomain

Whitelisting heuristic phishing signatures is done using a .wdb file.
Or you can submit the raw email as a false positive so we can whitelist it.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


LConrad at Go2France

Aug 15, 2009, 6:46 AM

Post #4 of 7 (1137 views)
Permalink
Re: exceptions where? [In reply to]
How can I put

Phishing.Heuristics.Email.SpoofedDomain

... in local.ign, if I can't find it in the files unpacked by sigtool?

thanks
Len


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


njones at megan

Aug 15, 2009, 9:41 AM

Post #5 of 7 (1135 views)
Permalink
Re: exceptions where? [In reply to]
Len Conrad wrote:
> How can I put
>
> Phishing.Heuristics.Email.SpoofedDomain
>
> ... in local.ign, if I can't find it in the files unpacked by sigtool?
>
> thanks
> Len
>

Phishing heuristics sigs are not "real" signatures, so your
choices include disable the phishing heuristics in clamd.conf
(PhishingScanURLs no), or whitelist the domain that's being
detected as phish.
http://www.clamav.net/doc/latest/phishsigs_howto.pdf

At any rate, you should submit the offending mail as a false
positive. http://www.clamav.net/sendvirus/

-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


LConrad at Go2France

Aug 16, 2009, 8:57 AM

Post #6 of 7 (1124 views)
Permalink
Re: exceptions where? [In reply to]
>>How can I put
>>Phishing.Heuristics.Email.SpoofedDomain
>>... in local.ign, if I can't find it in the files unpacked by sigtool?
>>thanks
>>Len
>
>Phishing heuristics sigs are not "real" signatures, so your choices include disable the phishing heuristics in clamd.conf (PhishingScanURLs no

Although Barracudas have passed many phishing emails, and I was hoping clamd in cascade would help, I've had to do "PhishingScanURLs no" in clamd.conf. Way more FPs than TPs, and a nice variety, too. One day, it stopped all nytimes.com headlines alerts, and it blocked monthly notices about credit card balances, which looked legit from the content, and from all the Received: headers.

I just caught an FP where one of our DSL users sent to herself, directly to our submission box running clamd, from the IP she successfully POPs from, a .gov job site notice. I guess I'll here from her soon. :)

Len



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


lyle at lcrcomputer

Aug 16, 2009, 9:34 AM

Post #7 of 7 (1128 views)
Permalink
Re: exceptions where? [In reply to]
Len Conrad wrote:
>>> How can I put
>>> Phishing.Heuristics.Email.SpoofedDomain
>>> ... in local.ign, if I can't find it in the files unpacked by sigtool?
>>> thanks
>>> Len
>>>
>> Phishing heuristics sigs are not "real" signatures, so your choices include disable the phishing heuristics in clamd.conf (PhishingScanURLs no
>>
>
> Although Barracudas have passed many phishing emails, and I was hoping clamd in cascade would help, I've had to do "PhishingScanURLs no" in clamd.conf. Way more FPs than TPs, and a nice variety, too. One day, it stopped all nytimes.com headlines alerts, and it blocked monthly notices about credit card balances, which looked legit from the content, and from all the Received: headers.
>
> I just caught an FP where one of our DSL users sent to herself, directly to our submission box running clamd, from the IP she successfully POPs from, a .gov job site notice. I guess I'll here from her soon. :)
>
> Len
>
>
>
I have a Barracuda in front of a mail server running clamAV. Phishing in
clamAV will cause more FPs, IMHO, than it's worth. I do have Phishing
turned off. But clamAV does find enough stuff that it's worth running
behind the Barracuda.

Plus if something bad happens to the Barracuda, I still have something
to scan for viruses on the mail server.

Lyle Giese
LCR Computer Services, Inc.



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.