Mailing List Archive: ClamAV: users

multiple viruses detected

Index | Next | Previous | View Threaded

uhlar at fantomas

Feb 10, 2012, 10:12 AM

Post #1 of 7 (480 views)
Permalink

multiple viruses detected

Hello,

How does clamd behave if it detects multiple viruses/phishes in a file?
Does it have some internal logic that tells which to report or does it
report just the first found?

I'd like to prefer reporting phish over other viruses (different
handling in e-mail), or possibly reporting all of them

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

henri at nerv

Feb 11, 2012, 3:06 AM

Post #2 of 7 (462 views)
Permalink

Re: multiple viruses detected [In reply to]

On Fri, Feb 10, 2012 at 07:12:26PM +0100, Matus UHLAR - fantomas wrote:
> How does clamd behave if it detects multiple viruses/phishes in a file?
> Does it have some internal logic that tells which to report or does
> it report just the first found?

Correct me if I am wrong, but ClamAV will detect the first match and continue to next file or stop if there is only one file (probably the case with your email-filter). There might be a way to control this, which is needed in case of for example scanning and removing infections from mbox.

Years ago there has been --mbox -option http://lurker.clamav.net/message/20040105.064256.3e2f3b3b.fi.html

> I'd like to prefer reporting phish over other viruses (different
> handling in e-mail), or possibly reporting all of them

Why do you want to do this? Don't you want to delete or quarantine infected emails if ClamAV detects any malware from emails? You can at least disable features when scanning.

- Henri Salo
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

uhlar at fantomas

Feb 13, 2012, 3:15 AM

Post #3 of 7 (457 views)
Permalink

Re: multiple viruses detected [In reply to]

>On Fri, Feb 10, 2012 at 07:12:26PM +0100, Matus UHLAR - fantomas wrote:
>> How does clamd behave if it detects multiple viruses/phishes in a file?
>> Does it have some internal logic that tells which to report or does
>> it report just the first found?

On 11.02.12 13:06, Henri Salo wrote:
>Correct me if I am wrong, but ClamAV will detect the first match and
> continue to next file or stop if there is only one file (probably the
> case with your email-filter). There might be a way to control this,
> which is needed in case of for example scanning and removing
> infections from mbox.

that might be useful, but I only need what I have described.

>Years ago there has been --mbox -option
> http://lurker.clamav.net/message/20040105.064256.3e2f3b3b.fi.html

this seems to be something very different.

>> I'd like to prefer reporting phish over other viruses (different
>> handling in e-mail), or possibly reporting all of them

>Why do you want to do this? Don't you want to delete or quarantine
> infected emails if ClamAV detects any malware from emails?

No, I don't delete mail, attachments, nor quarantine anything.

> You can at least disable features when scanning.

What I need is to pass phishes sent to one particular address
(abuse@, since we should knnow when our customers send phishes)

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

henri at nerv

Feb 13, 2012, 3:45 AM

Post #4 of 7 (459 views)
Permalink

Re: multiple viruses detected [In reply to]

On Mon, Feb 13, 2012 at 12:15:02PM +0100, Matus UHLAR - fantomas wrote:
> What I need is to pass phishes sent to one particular address
> (abuse@, since we should knnow when our customers send phishes)

You might be looking for these arguments of clamscan. You can also control this in clamd.conf. Default is marked as "(*)".

--scan-mail[=yes(*)/no]
Scan mail files. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments.

--phishing-sigs[=yes(*)/no]
Use the signature-based phishing detection.

--phishing-scan-urls[=yes(*)/no]
Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*)

--scan-pdf[=yes(*)/no]
Scan within PDF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing.

--scan-html[=yes(*)/no]
Detect, normalize/decrypt and scan HTML files and embedded scripts. If you turn off this option, the original files will still be scanned, but with‐
out additional processing.

--scan-archive[=yes(*)/no]
Scan archives supported by libclamav. If you turn off this option, the original files will still be scanned, but without unpacking and additional
processing.

- Henri Salo
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

uhlar at fantomas

Feb 13, 2012, 6:01 AM

Post #5 of 7 (458 views)
Permalink

Re: multiple viruses detected [In reply to]

>On Mon, Feb 13, 2012 at 12:15:02PM +0100, Matus UHLAR - fantomas wrote:
>> What I need is to pass phishes sent to one particular address
>> (abuse@, since we should knnow when our customers send phishes)

On 13.02.12 13:45, Henri Salo wrote:
>You might be looking for these arguments of clamscan. You can also
> control this in clamd.conf. Default is marked as "(*)".

I am not looking for any currently existing arguments to clam(d)scan
nor clamd. With them, the only possible way of checking for phishes etc
is to scan twice - once with phishingsignatures, once without them.

This is not nice no matter if I call clamscan (which takes long to load
the signature database), or clamd (would require 2 clamd processes
running), or combination of these two.

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

edwintorok at gmail

Feb 13, 2012, 6:12 AM

Post #6 of 7 (470 views)
Permalink

Re: multiple viruses detected [In reply to]

On 02/13/2012 04:01 PM, Matus UHLAR - fantomas wrote:
>> On Mon, Feb 13, 2012 at 12:15:02PM +0100, Matus UHLAR - fantomas wrote:
>>> What I need is to pass phishes sent to one particular address
>>> (abuse@, since we should knnow when our customers send phishes)
>
> On 13.02.12 13:45, Henri Salo wrote:
>> You might be looking for these arguments of clamscan. You can also control this in clamd.conf. Default is marked as "(*)".
>
> I am not looking for any currently existing arguments to clam(d)scan nor clamd. With them, the only possible way of checking for phishes etc is to scan twice - once with phishingsignatures, once
> without them.
>
> This is not nice no matter if I call clamscan (which takes long to load the signature database), or clamd (would require 2 clamd processes running), or combination of these two.
>

Try --heuristic-scan-precedence=yes (similar clamd option exists too).
It will cause ClamAV to stop and report on the first Heuristics.* match it finds. Phishing is part of Heuristics.*

The default behaviour is 'no', so when it sees a Heuristics.* it keeps scanning and if a malware is found,
then that is reported instead of the Heuristics.

The problem is that Heuristics.* is not only phishing, but some other stuff as well.

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

uhlar at fantomas

Feb 13, 2012, 6:27 AM

Post #7 of 7 (461 views)
Permalink

Re: multiple viruses detected [In reply to]

>On 02/13/2012 04:01 PM, Matus UHLAR - fantomas wrote:
>> I am not looking for any currently existing arguments to clam(d)scan
>> nor clamd. With them, the only possible way of checking for phishes
>> etc is to scan twice - once with phishingsignatures, once without
>> them.
>>
>> This is not nice no matter if I call clamscan (which takes long to
>> load the signature database), or clamd (would require 2 clamd
>> processes running), or combination of these two.

On 13.02.12 16:12, T�r�k Edwin wrote:
>Try --heuristic-scan-precedence=yes (similar clamd option exists too).
>It will cause ClamAV to stop and report on the first Heuristics.* match it finds. Phishing is part of Heuristics.*

Didn't know that...

>The default behaviour is 'no', so when it sees a Heuristics.* it keeps scanning and if a malware is found,
>then that is reported instead of the Heuristics.
>
>The problem is that Heuristics.* is not only phishing, but some other stuff as well.

That's it. Possibility to continue scanning after malware has been
found is also important. Especially if it was found by heuristics which
some may not trust... not that I don't.

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads