Hi there,
On Thu, 23 Sep 2021, Jim Popovitch via clamav-users wrote:
On September 23, 2021 3:29:02 AM UTC, "Joel Esler (jesler)" <jes...@cisco.com>
wrote:
On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users
<clamav-users@lists.clamav.net> wrote:
ClamAV is not respecting Phishing* settings.
clamd.conf:
...
PhishingSignatures false
PhishingScanURLs false
Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
infected with Email.Phishing.VOF1-6326576-0;
from=<kristina.sjost...@walleniusmarine.com> to=<dom...@domainmail.net>
proto=ESMTP helo=<walleniusmarine.com>
Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
infected with Email.Phishing.VOF1-6295631-2; from=<mary....@dhl.com>
to=<dom...@domainmail.net> proto=ESMTP helo=<bizcloud-
server.squaregroup.com>
I am sure someone will respond about your particular issue, but are
you saying they are false positives?
I'm saying I don't want ClamAV to do anything other than scan for
viruses,. I have followed the ClamAV documentation and yet ClamAV is
doing something it is configured not to do. What other things is
ClamAV doing then?
You misunderstand what ClamAV does. In its assorted databases there
are millions of signatures from multiple parties. A signature has a
name and a pattern. ClamAV is incapable of understanding the names,
and if a party decides to call a signature "Some.Phishing.Signature",
then if the pattern in the signature matches, that's what ClamAV will
tell you was "FOUND". But it does not know anything about the name,
and it does not filter its output based on the name. There are many,
many signatures which are not strictly speaking "viruses". Short of
removing them from the database yourself, you have no way to prevent
them from being used.
In addition to the database signatures there are 'heuristics' coded in
the ClamAV libraries. See for example libclamav/phishcheck.c (or grep
all the files in the libclamav directory for 'Heuristics'). This kind
of detection does not use signatures, but looks for things in the data
which are considered suspicious. Examples include: HTTP anchors where
the display text in the anchor is very different from the link itself;
the text displayed is https and the anchor is not; hostnames differ;
embedded numeric IP addresses. This kind of thing can be difficult to
detect using signatures, which is why there is a chunk of code called
phishcheck.c, and it's things in this code which are disabled by your
configuration options - not signatures named in any particular way.
Why do you not want ClamAV to alert you to (what appear to me to be)
obvious scam emails? Is it because some are false positives?
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
