Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Phishing and ClamAV

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


unix.ivan at aol

Oct 20, 2011, 3:59 AM

Post #1 of 10 (964 views)
Permalink
Phishing and ClamAV

Hello,

I am newbie with ClamAV and I am trying to improve phising accurance on an e-mail server installation.
Unfortunatley I as not able to understand how to do that in details. Should I use daily.pdb or phising signatures are included already in another databases?
It appears that even after enblening using of phishing signatures in clamd.conf freshclam does not download daily.pdb.

Thank you in advance for your help
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Oct 20, 2011, 4:29 AM

Post #2 of 10 (947 views)
Permalink
Re: Phishing and ClamAV [In reply to]

On 10/20/2011 01:59 PM, Ivan Ivanov wrote:
> Hello,
>
> I am newbie with ClamAV and I am trying to improve phising accurance on an e-mail server installation.
> Unfortunatley I as not able to understand how to do that in details. Should I use daily.pdb or phising signatures are included already in another databases?
> It appears that even after enblening using of phishing signatures in clamd.conf freshclam does not download daily.pdb.

daily.pdb is included inside daily.cvd already.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


unix.ivan at aol

Oct 20, 2011, 4:40 AM

Post #3 of 10 (948 views)
Permalink
Re: Phishing and ClamAV [In reply to]

Hello Torok,

Thank you for your fast responce.
Is it possible to have additional .pbd with cistomized values included in ClamAV configuration and dastabases directory? Content exampel of such local.pdb: H:somelocalbank.ctld

Thank you.

With best regards,

I. Ivanov







-----Original Message-----
From: Török Edwin <edwintorok [at] gmail>
To: clamav-users <clamav-users [at] lists>
Sent: Thu, Oct 20, 2011 2:29 pm
Subject: Re: [clamav-users] Phishing and ClamAV


On 10/20/2011 01:59 PM, Ivan Ivanov wrote:
> Hello,
>
> I am newbie with ClamAV and I am trying to improve phising accurance on an
e-mail server installation.
> Unfortunatley I as not able to understand how to do that in details. Should I
use daily.pdb or phising signatures are included already in another databases?
> It appears that even after enblening using of phishing signatures in
clamd.conf freshclam does not download daily.pdb.

daily.pdb is included inside daily.cvd already.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


robert at schetterer

Oct 20, 2011, 4:46 AM

Post #4 of 10 (957 views)
Permalink
Re: Phishing and ClamAV [In reply to]

Am 20.10.2011 13:29, schrieb Trk Edwin:
> On 10/20/2011 01:59 PM, Ivan Ivanov wrote:
>> Hello,
>>
>> I am newbie with ClamAV and I am trying to improve phising accurance on an e-mail server installation.
>> Unfortunatley I as not able to understand how to do that in details. Should I use daily.pdb or phising signatures are included already in another databases?
>> It appears that even after enblening using of phishing signatures in clamd.conf freshclam does not download daily.pdb.
>
> daily.pdb is included inside daily.cvd already.
>
> Best regards,
> --Edwin
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

additional you may use the sigs from
http://sanesecurity.com/

specially with clamav-milter this helps a lot rejecting pishing and spam
on smtp income level

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Oct 20, 2011, 4:47 AM

Post #5 of 10 (948 views)
Permalink
Re: Phishing and ClamAV [In reply to]

On 10/20/2011 02:40 PM, Ivan Ivanov wrote:
> Hello Torok,
>
> Thank you for your fast responce.
> Is it possible to have additional .pbd with cistomized values included in ClamAV configuration and dastabases directory? Content exampel of such local.pdb: H:somelocalbank.ctld

Yes, just place a file named local.pdb (or something else than main.* or daily.*) and add your entries there.


--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


unix.ivan at aol

Oct 20, 2011, 5:05 AM

Post #6 of 10 (951 views)
Permalink
Re: Phishing and ClamAV [In reply to]

Hello Edwin,

Thank you for your e-mail.
I've added a local.pdb in /var/lib/clamav with contenct: H:localbankaddress.ctld

But it appeasr that message passed as clean. Please see log entry returned by amavis (Postfix+amavis-new+ClamAV):

amavis[17914]: (17914-04) Passed CLEAN

Thank you,

With best reagrds,

Ivan







-----Original Message-----
From: Török Edwin <edwintorok [at] gmail>
To: clamav-users <clamav-users [at] lists>
Sent: Thu, Oct 20, 2011 2:48 pm
Subject: Re: [clamav-users] Phishing and ClamAV


On 10/20/2011 02:40 PM, Ivan Ivanov wrote:
> Hello Torok,
>
> Thank you for your fast responce.
> Is it possible to have additional .pbd with cistomized values included in
ClamAV configuration and dastabases directory? Content exampel of such
local.pdb: H:somelocalbank.ctld

Yes, just place a file named local.pdb (or something else than main.* or
daily.*) and add your entries there.


--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwintorok at gmail

Oct 20, 2011, 5:12 AM

Post #7 of 10 (946 views)
Permalink
Re: Phishing and ClamAV [In reply to]

On 10/20/2011 03:05 PM, Ivan Ivanov wrote:
> Hello Edwin,
>
> Thank you for your e-mail.
> I've added a local.pdb in /var/lib/clamav with contenct: H:localbankaddress.ctld
>
> But it appeasr that message passed as clean. Please see log entry returned by amavis (Postfix+amavis-new+ClamAV):
>
> amavis[17914]: (17914-04) Passed CLEAN

Save the message to a file, and then post the stderr output of 'clamscan -d/var/lib/clamav/local.pdb /path/to/youremail --debug'
(for example: clamscan -d/var/lib/clamav/local.pdb /path/to/youremail --debug 2>log; post contents of log)

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


unix.ivan at aol

Oct 20, 2011, 5:31 AM

Post #8 of 10 (944 views)
Permalink
Re: Phishing and ClamAV [In reply to]

Hello Edwin.

Here is:

clamscan -d /var/lib/clamav/local.pdb message.eml
message.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.021 sec (0 m 0 s)


# cat message.eml
<a href="http://www.w3schools.com/" target="_blank">Visit testbank.lan</a>

-rw-r--r-- 1 clam clam 15 Oct 20 14:20 local.pdb

cat /var/lib/clamav/local.pdb
H:testbank.lan


Thank you.

With best reagrds,

Ivan









-----Original Message-----
From: Török Edwin <edwintorok [at] gmail>
To: clamav-users <clamav-users [at] lists>
Sent: Thu, Oct 20, 2011 3:13 pm
Subject: Re: [clamav-users] Phishing and ClamAV


On 10/20/2011 03:05 PM, Ivan Ivanov wrote:
> Hello Edwin,
>
> Thank you for your e-mail.
> I've added a local.pdb in /var/lib/clamav with contenct: H:localbankaddress.ctld
>
> But it appeasr that message passed as clean. Please see log entry returned by
amavis (Postfix+amavis-new+ClamAV):
>
> amavis[17914]: (17914-04) Passed CLEAN

Save the message to a file, and then post the stderr output of 'clamscan
-d/var/lib/clamav/local.pdb /path/to/youremail --debug'
(for example: clamscan -d/var/lib/clamav/local.pdb /path/to/youremail --debug
2>log; post contents of log)

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Oct 20, 2011, 5:36 AM

Post #9 of 10 (954 views)
Permalink
Re: Phishing and ClamAV [In reply to]

On 10/20/2011 03:31 PM, Ivan Ivanov wrote:
> Hello Edwin.
>
> Here is:
>
> clamscan -d /var/lib/clamav/local.pdb message.eml
> message.eml: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.97.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.021 sec (0 m 0 s)
>
>
> # cat message.eml

The file should be a mail message, so add these 4 lines (including blank one) at the beginning:

From test [at] example
From: test [at] example
To: test [at] example

> <a href="http://www.w3schools.com/" target="_blank">Visit testbank.lan</a>

There is the problem, .lan is not a valid TLD and ClamAV doesn't recognize testbank.lan as a URL.
Try using valid TLDs, for example testbank.example.com and then ClamAV should block your message.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


unix.ivan at aol

Oct 20, 2011, 5:53 AM

Post #10 of 10 (963 views)
Permalink
Re: Phishing and ClamAV [In reply to]

Hello Edwin:

It is okay now:

clamscan -d /var/lib/clamav/local.pdb message.eml
message.eml: Heuristics.Phishing.Email.SpoofedDomain FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.97.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.023 sec (0 m 0 s)

Thank you very much for your hepl and support!

With best regards,

Ivan Ivanov







-----Original Message-----
From: Török Edwin <edwin [at] clamav>
To: clamav-users <clamav-users [at] lists>
Sent: Thu, Oct 20, 2011 3:36 pm
Subject: Re: [clamav-users] Phishing and ClamAV


On 10/20/2011 03:31 PM, Ivan Ivanov wrote:
> Hello Edwin.
>
> Here is:
>
> clamscan -d /var/lib/clamav/local.pdb message.eml
> message.eml: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.97.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.021 sec (0 m 0 s)
>
>
> # cat message.eml

The file should be a mail message, so add these 4 lines (including blank one) at
the beginning:

From test [at] example
From: test [at] example
To: test [at] example

> <a href="http://www.w3schools.com/" target="_blank">Visit testbank.lan</a>

There is the problem, .lan is not a valid TLD and ClamAV doesn't recognize
testbank.lan as a URL.
Try using valid TLDs, for example testbank.example.com and then ClamAV should
block your message.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.