On 8/11/2022 7:10 PM, joe a wrote:
On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
Hi there,
On Thu, 11 Aug 2022, joe a wrote:
I do not understand why, when entering more than one URL, the first
line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to
be able to match when entered "in plain text", while subsequent lines
seem to want actual "regex" notation (escaped "."), with only the
domains entered.
At least that is what it seems takes to "run clean" when re-scanned
in debug mode.
To add do the above, I found a few recent emails containing the URLs
in the first entry, mentioned above, that were flagged. Those emails
passed without notice when scanned as above. I removed that first
entry, scanned again and the email were flagged. I then entered
those URL's again, as the first line, this time in regex notation
("." escaped, no "http or https"), scanned again, and it was not
flagged.
Post your .wdb file here?
In the "old days" I would not hesitate, but in the current age, I do,
simply because it is essentially "public".
Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
Or posted to some less public place?
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Having take the (rhetorical) purple pill . . . and written and though
better of several rambling and vacuous screeds . . . I post the contents
of an obfuscated "/my/install/location/gud-uns.wdb". Please hold the
cheers and applause, I won't hear them anyway.
X:l\.data99\.bingo\.com:bingobank\.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com
The above appears to work for scanning with clamd or clamscan (in debug
mode).
X:http://data99.bingo.com:http://bingobank.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com
The above appears to work scanning with clamscan, but, formatting the
last three lines as the first line, fails to pass those three.
In any case, I am OK with it working with formatting as the first
example, but the oddity of the second cited example, an outgrowth of my
first foray into this, kind of stumbled me.
Is it known behavior? An anomaly of my formatting? A bug?
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
