Re: [Clamav-users] exceptions where?
On 2009-08-14 19:25, Len Conrad wrote: -- Original Message -- From: Len Conrad lcon...@go2france.com Reply-To: ClamAV users ML clamav-users@lists.clamav.net Date: Fri, 14 Aug 2009 15:53:44 +0200 All my users' headline alerts from NYTIMES.com got blocked for: status=VIRUS:Phishing.Heuristics.Email.SpoofedDomain ... this filter also catching true positives, so we'd like to keep it. In the man pages for clamd and clamsmtpd, I can't find any doc on whitelisting, although clamsmtpd console logs empty for 3 lists at start up. thanks Len I found Ralph's blog page for moving sig's to local.ign, but grep can't find the sig that's giving us FPs: Phishing.Heuristics.Email.SpoofedDomain Whitelisting heuristic phishing signatures is done using a .wdb file. Or you can submit the raw email as a false positive so we can whitelist it. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] exceptions where?
Len Conrad wrote: How can I put Phishing.Heuristics.Email.SpoofedDomain ... in local.ign, if I can't find it in the files unpacked by sigtool? thanks Len Phishing heuristics sigs are not real signatures, so your choices include disable the phishing heuristics in clamd.conf (PhishingScanURLs no Although Barracudas have passed many phishing emails, and I was hoping clamd in cascade would help, I've had to do PhishingScanURLs no in clamd.conf. Way more FPs than TPs, and a nice variety, too. One day, it stopped all nytimes.com headlines alerts, and it blocked monthly notices about credit card balances, which looked legit from the content, and from all the Received: headers. I just caught an FP where one of our DSL users sent to herself, directly to our submission box running clamd, from the IP she successfully POPs from, a .gov job site notice. I guess I'll here from her soon. :) Len I have a Barracuda in front of a mail server running clamAV. Phishing in clamAV will cause more FPs, IMHO, than it's worth. I do have Phishing turned off. But clamAV does find enough stuff that it's worth running behind the Barracuda. Plus if something bad happens to the Barracuda, I still have something to scan for viruses on the mail server. Lyle Giese LCR Computer Services, Inc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] exceptions where?
How can I put Phishing.Heuristics.Email.SpoofedDomain ... in local.ign, if I can't find it in the files unpacked by sigtool? thanks Len ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] exceptions where?
-- Original Message -- From: Len Conrad lcon...@go2france.com Reply-To: ClamAV users ML clamav-users@lists.clamav.net Date: Fri, 14 Aug 2009 15:53:44 +0200 All my users' headline alerts from NYTIMES.com got blocked for: status=VIRUS:Phishing.Heuristics.Email.SpoofedDomain ... this filter also catching true positives, so we'd like to keep it. In the man pages for clamd and clamsmtpd, I can't find any doc on whitelisting, although clamsmtpd console logs empty for 3 lists at start up. thanks Len I found Ralph's blog page for moving sig's to local.ign, but grep can't find the sig that's giving us FPs: Phishing.Heuristics.Email.SpoofedDomain thanks Len ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml