Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Re: Trouble whitelisting URLs

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


azidouemba at sourcefire

Jun 11, 2013, 12:12 PM

Post #1 of 7 (194 views)
Permalink
Re: Trouble whitelisting URLs
The following seems to work for me:


X:\.scotiarewards\.com:\.scotiabank\.com


It will be released shortly to whitelist the redirection from
scotiarewards.com to scotiabank.com

- Alain
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


greg at donor

Jun 11, 2013, 12:20 PM

Post #2 of 7 (182 views)
Permalink
Re: Trouble whitelisting URLs [In reply to]
On Tue, 2013-06-11 at 14:38 -0400, Kris Deugau wrote:
> (Resend; list seems to have gone black-hole for a few days)

FYI, I saw your last e-mail on Wednesday of last week on this very
subject. I didn't have any answers so I didn't respond.
--
greg folkert - systems administration and support
web: donor.com
email: greg [at] donor
phone: 877-751-3300 x416
direct: 616-328-6449 (direct dial and fax)
"Our happiness depends on wisdom all the way."
-- Sophocles

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


kdeugau at vianet

Jun 11, 2013, 1:19 PM

Post #3 of 7 (183 views)
Permalink
Re: Trouble whitelisting URLs [In reply to]
Greg Folkert wrote:
> On Tue, 2013-06-11 at 14:38 -0400, Kris Deugau wrote:
>> (Resend; list seems to have gone black-hole for a few days)
>
> FYI, I saw your last e-mail on Wednesday of last week on this very
> subject. I didn't have any answers so I didn't respond.

Curious. I didn't get a copy back as usual, and I didn't get a copy of
today's message either. Time to check my subscription settings...

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


kdeugau at vianet

Jun 11, 2013, 1:39 PM

Post #4 of 7 (188 views)
Permalink
Re: Trouble whitelisting URLs [In reply to]
Alain Zidouemba wrote:
> The following seems to work for me:
>
>
> X:\.scotiarewards\.com:\.scotiabank\.com
>
>
> It will be released shortly to whitelist the redirection from
> scotiarewards.com to scotiabank.com

Thanks!

However, I tried adding this to daily.wdb locally, and I'm still getting
the Heuristics.Phishing.Email.SpoofedDomain hit. I get this in the
debug output:

LibClamAV debug: Phishcheck:host:.links.email.scotiarewards.com
LibClamAV debug: Phishing: looking up in whitelist:
.links.email.scotiarewards.com:.scotiarewards.scotiabank.com; host-only:1
LibClamAV debug: Looking up in regex_list:
links.email.scotiarewards.com:scotiarewards.scotiabank.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain

FWIW, I've added similar entries to daily.wdb before, and it's always
worked fine. I'm not sure what's missing this time around.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


azidouemba at sourcefire

Jun 11, 2013, 1:42 PM

Post #5 of 7 (182 views)
Permalink
Re: Trouble whitelisting URLs [In reply to]
You are missing some ".+"

X:.+\.scotiarewards\.com:.+\.scotiabank\.com

As I mentioned earlier, a signature update will go out momentarily.

- Alain
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


C.J.Theunissen at differ

Jun 11, 2013, 2:00 PM

Post #6 of 7 (183 views)
Permalink
Re: Trouble whitelisting URLs [In reply to]
On Tue, 11 Jun 2013, Kris Deugau wrote:

>Greg Folkert wrote:
>> On Tue, 2013-06-11 at 14:38 -0400, Kris Deugau wrote:
>>> (Resend; list seems to have gone black-hole for a few days)
>>
>> FYI, I saw your last e-mail on Wednesday of last week on this very
>> subject. I didn't have any answers so I didn't respond.
>
>Curious. I didn't get a copy back as usual, and I didn't get a copy of
>today's message either. Time to check my subscription settings...

Or just check your virus-filter logs.

Both your messages were rejectecd by my filter. The log shows:
"Messsage rejected because of virus Heuristics.Phishing.Email.SpoofedDomain."
It triggered most likely on the URL's in your messages.

That probably also happened with your copies.

Time to whitelist the list server I guess.


Regards,

Kees Theunissen.

--
Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address: C.J.Theunissen [at] differ
postal address: PO Box 1207, 3430 BE Nieuwegein, NL
visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


kdeugau at vianet

Jun 12, 2013, 7:39 AM

Post #7 of 7 (166 views)
Permalink
Re: Trouble whitelisting URLs [In reply to]
Kees Theunissen wrote:
> Or just check your virus-filter logs.

*blink*

*poke*

Ah, that *is* enabled on my account. I had forgotten that.

> Both your messages were rejectecd by my filter. The log shows:
> "Messsage rejected because of virus Heuristics.Phishing.Email.SpoofedDomain."
> It triggered most likely on the URL's in your messages.
>
> That probably also happened with your copies.

*nod* Except they were tagged and filed rather than rejected. We only
reject on Spamhaus ZEN hits.

> Time to whitelist the list server I guess.

Well, whitelist the list.

I keep swinging back and forth trying to decide if this heuristic test
is worthwhile every time I see an FP report - but I don't see many of those.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.