Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/12/2022 8:48 AM, joe a wrote: On 8/12/2022 4:28 AM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: [...] I post the contents of an obfuscated "[...]gud-uns.wdb". [...] Is it known behavior? An anomaly of my formatting? A bug? I have no idea. I don't have time to mess about with obfuscated information. What's the difference? All that has been done is letters in the actual URL's were replaced with other letters. I don't think regex cares as long as they are "not special" to regex. I am certainly not trying to be difficult or simply obstinate, I simply do not understand the issue with obfuscation. Perhaps your concern is related to the non obfuscated URLs being required to match an existing "bad" URL and cause some trigger/interaction with clamd or clamscan in some way that is not obvious to someone at my level of knowledge? If so, I would be happy to provide the non obfuscated version off list or in some other way, as previously indicated. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/12/2022 4:28 AM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: [...] I post the contents of an obfuscated "[...]gud-uns.wdb". [...] Is it known behavior? An anomaly of my formatting? A bug? I have no idea. I don't have time to mess about with obfuscated information. What's the difference? All that has been done is letters in the actual URL's were replaced with other letters. I don't think regex cares as long as they are "not special" to regex. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
Hi there, On Thu, 11 Aug 2022, joe a wrote: [...] I post the contents of an obfuscated "[...]gud-uns.wdb". [...] Is it known behavior? An anomaly of my formatting? A bug? I have no idea. I don't have time to mess about with obfuscated information. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 7:10 PM, joe a wrote:
On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
Hi there,
On Thu, 11 Aug 2022, joe a wrote:
I do not understand why, when entering more than one URL, the first
line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to
be able to match when entered "in plain text", while subsequent lines
seem to want actual "regex" notation (escaped "."), with only the
domains entered.
At least that is what it seems takes to "run clean" when re-scanned
in debug mode.
To add do the above, I found a few recent emails containing the URLs
in the first entry, mentioned above, that were flagged. Those emails
passed without notice when scanned as above. I removed that first
entry, scanned again and the email were flagged. I then entered
those URL's again, as the first line, this time in regex notation
("." escaped, no "http or https"), scanned again, and it was not
flagged.
Post your .wdb file here?
In the "old days" I would not hesitate, but in the current age, I do,
simply because it is essentially "public".
Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
Or posted to some less public place?
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Having take the (rhetorical) purple pill . . . and written and though
better of several rambling and vacuous screeds . . . I post the contents
of an obfuscated "/my/install/location/gud-uns.wdb". Please hold the
cheers and applause, I won't hear them anyway.
X:l\.data99\.bingo\.com:bingobank\.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com
The above appears to work for scanning with clamd or clamscan (in debug
mode).
X:http://data99.bingo.com:http://bingobank.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com
The above appears to work scanning with clamscan, but, formatting the
last three lines as the first line, fails to pass those three.
In any case, I am OK with it working with formatting as the first
example, but the oddity of the second cited example, an outgrowth of my
first foray into this, kind of stumbled me.
Is it known behavior? An anomaly of my formatting? A bug?
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
Hi there,
On Thu, 11 Aug 2022, joe a wrote:
I do not understand why, when entering more than one URL, the first
line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be
able to match when entered "in plain text", while subsequent lines
seem to want actual "regex" notation (escaped "."), with only the
domains entered.
At least that is what it seems takes to "run clean" when re-scanned in
debug mode.
To add do the above, I found a few recent emails containing the URLs
in the first entry, mentioned above, that were flagged. Those emails
passed without notice when scanned as above. I removed that first
entry, scanned again and the email were flagged. I then entered those
URL's again, as the first line, this time in regex notation ("."
escaped, no "http or https"), scanned again, and it was not flagged.
Post your .wdb file here?
In the "old days" I would not hesitate, but in the current age, I do,
simply because it is essentially "public".
Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
Or posted to some less public place?
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
Hi there,
On Thu, 11 Aug 2022, joe a wrote:
I do not understand why, when entering more than one URL, the first line in
my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match
when entered "in plain text", while subsequent lines seem to want actual
"regex" notation (escaped "."), with only the domains entered.
At least that is what it seems takes to "run clean" when re-scanned in debug
mode.
To add do the above, I found a few recent emails containing the URLs in the
first entry, mentioned above, that were flagged. Those emails passed without
notice when scanned as above. I removed that first entry, scanned again and
the email were flagged. I then entered those URL's again, as the first line,
this time in regex notation ("." escaped, no "http or https"), scanned again,
and it was not flagged.
Post your .wdb file here?
--
73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 2:02 PM, joe a wrote:
On 8/11/2022 1:17 PM, G.W. Haywood via clamav-users wrote:
Hi there,
On Thu, 11 Aug 2022, joe a wrote:
A while back discussed excluding some URL's from triggering the
heueristics scan. Seemed to work. Postfix, spamassassin, clamav in
use.
Now seems some addtional URL's are involved. Perhaps I am doing
something wrong here.
Been determining (?) the offending URL's by examining the entire
email using:
clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt
then looking for offenders using:
grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt
entering the URL seen in "Real URL: http://some.url; into
"/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl
restart clamd.service)
I would presume re-scanning as above should no longer flag the
offending URL(s)?
You presume a lot. The documentation seems to say otherwise:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
Well!.
Thanks for the direct links. The content appears a bit different than
I recall, when attempting to decipher it some months back.
Might even prove enjoyable wading through it, were I an S enthusiast.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
I do not understand why, when entering more than one URL, the first line
in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able
to match when entered "in plain text", while subsequent lines seem to
want actual "regex" notation (escaped "."), with only the domains entered.
At least that is what it seems takes to "run clean" when re-scanned in
debug mode.
To add do the above, I found a few recent emails containing the URLs in
the first entry, mentioned above, that were flagged. Those emails
passed without notice when scanned as above. I removed that first
entry, scanned again and the email were flagged. I then entered those
URL's again, as the first line, this time in regex notation ("."
escaped, no "http or https"), scanned again, and it was not flagged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 1:17 PM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? You presume a lot. The documentation seems to say otherwise: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format Well!. Thanks for the direct links. The content appears a bit different than I recall, when attempting to decipher it some months back. Might even prove enjoyable wading through it, were I an S enthusiast. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
Hi there, On Thu, 11 Aug 2022, joe a wrote: A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? You presume a lot. The documentation seems to say otherwise: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] excluding a URL from "heueristics" scanning
A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
