Hi everybody,
it is few days now that my second primary scanner (F-Prot) triggers on a
phishing mail, while the first primary (ClamAV) doesn't.
This occasionally happens on malware not yet detected by ClamAV, and often
lasts a day or two, until ClamAV finally starts catching it. So, I looked at
the why and saw ClamAV detecting an HTML.Phishing.Bank, while F-Prot
actually detects an HTML/Bankish.
Then I see that the array @virus_name_to_spam_score_maps holds a regex that
matches the HTML.Phishing result from ClamAV, but there isn't any to match
the HTML/Bankish from F-Prot, while I think they have basically to be
handled the same. It's the same phishing, after all...
So I modified the amavisd code (brr!), changing this:
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
to this:
[ qr'^(Email|HTML)\.(?:Phishing|Bankish)\.(?!.*Sanesecurity)' => 0.1
],
Do you believe it is the right way to do?
If yes, would then it be possible to have it modified in future amavisd
versions?
By the way, a lot of phishing seems to be detected as
Heuristics.Phishing.Email by ClamAV, while amavisd handles them as viruses
because in virus_name_to_spam_score_maps there is a '^Phishing\.' regex, not
a '^(?:Heuristic\.)?Phishing\.' one. But instead of adding this, I preferred
to rewrite the ClamAV definition in @av_scanner from the amavisd config
file, such that the threat name extractor is now:
qr/^.*?: (?!Infected Archive)(?:Heuristic\.)?(.*) FOUND$/m
Do you believe is ok this too?
Finally, I'm going to spare a thought. It seems to me that the
virus_name_to_spam_score_maps technique is a bit loose in the overall.
First, that array is defined in the amavisd code itself and the
configuration file can't (transparently) deal with it. And last, it is a
global thing, not per av-engine. Since often av-engines do report the same
thing with different names and prefixes, it may be possible for a signature
to be ambiguous, such that it would be reported for a phishing by one AV,
and for a real virus for another. Shouldn't it allow at least per-av-engine
exceptions?
Thanks,
Giampaolo
------------------------------------------------------------------------------
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
