Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/12/2022 8:48 AM, joe a wrote: On 8/12/2022 4:28 AM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: [...] I post the contents of an obfuscated "[...]gud-uns.wdb". [...] Is it known behavior? An anomaly of my formatting? A bug? I have no idea. I don't have time to mess about with obfuscated information. What's the difference? All that has been done is letters in the actual URL's were replaced with other letters. I don't think regex cares as long as they are "not special" to regex. I am certainly not trying to be difficult or simply obstinate, I simply do not understand the issue with obfuscation. Perhaps your concern is related to the non obfuscated URLs being required to match an existing "bad" URL and cause some trigger/interaction with clamd or clamscan in some way that is not obvious to someone at my level of knowledge? If so, I would be happy to provide the non obfuscated version off list or in some other way, as previously indicated. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/12/2022 4:28 AM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: [...] I post the contents of an obfuscated "[...]gud-uns.wdb". [...] Is it known behavior? An anomaly of my formatting? A bug? I have no idea. I don't have time to mess about with obfuscated information. What's the difference? All that has been done is letters in the actual URL's were replaced with other letters. I don't think regex cares as long as they are "not special" to regex. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
Hi there, On Thu, 11 Aug 2022, joe a wrote: [...] I post the contents of an obfuscated "[...]gud-uns.wdb". [...] Is it known behavior? An anomaly of my formatting? A bug? I have no idea. I don't have time to mess about with obfuscated information. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 7:10 PM, joe a wrote: On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: I do not understand why, when entering more than one URL, the first line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match when entered "in plain text", while subsequent lines seem to want actual "regex" notation (escaped "."), with only the domains entered. At least that is what it seems takes to "run clean" when re-scanned in debug mode. To add do the above, I found a few recent emails containing the URLs in the first entry, mentioned above, that were flagged. Those emails passed without notice when scanned as above. I removed that first entry, scanned again and the email were flagged. I then entered those URL's again, as the first line, this time in regex notation ("." escaped, no "http or https"), scanned again, and it was not flagged. Post your .wdb file here? In the "old days" I would not hesitate, but in the current age, I do, simply because it is essentially "public". Would somewhat obfuscated be OK? Sent "off list" to volunteer victims? Or posted to some less public place? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat Having take the (rhetorical) purple pill . . . and written and though better of several rambling and vacuous screeds . . . I post the contents of an obfuscated "/my/install/location/gud-uns.wdb". Please hold the cheers and applause, I won't hear them anyway. X:l\.data99\.bingo\.com:bingobank\.com X:go\.sumcc:sumccexpanded\.com X:m\.sumcc:cdaas\.sumccexpanded\.com X:go\.sumcc:cdaas\.sumccexpanded\.com The above appears to work for scanning with clamd or clamscan (in debug mode). X:http://data99.bingo.com:http://bingobank.com X:go\.sumcc:sumccexpanded\.com X:m\.sumcc:cdaas\.sumccexpanded\.com X:go\.sumcc:cdaas\.sumccexpanded\.com The above appears to work scanning with clamscan, but, formatting the last three lines as the first line, fails to pass those three. In any case, I am OK with it working with formatting as the first example, but the oddity of the second cited example, an outgrowth of my first foray into this, kind of stumbled me. Is it known behavior? An anomaly of my formatting? A bug? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: I do not understand why, when entering more than one URL, the first line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match when entered "in plain text", while subsequent lines seem to want actual "regex" notation (escaped "."), with only the domains entered. At least that is what it seems takes to "run clean" when re-scanned in debug mode. To add do the above, I found a few recent emails containing the URLs in the first entry, mentioned above, that were flagged. Those emails passed without notice when scanned as above. I removed that first entry, scanned again and the email were flagged. I then entered those URL's again, as the first line, this time in regex notation ("." escaped, no "http or https"), scanned again, and it was not flagged. Post your .wdb file here? In the "old days" I would not hesitate, but in the current age, I do, simply because it is essentially "public". Would somewhat obfuscated be OK? Sent "off list" to volunteer victims? Or posted to some less public place? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
Hi there, On Thu, 11 Aug 2022, joe a wrote: I do not understand why, when entering more than one URL, the first line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match when entered "in plain text", while subsequent lines seem to want actual "regex" notation (escaped "."), with only the domains entered. At least that is what it seems takes to "run clean" when re-scanned in debug mode. To add do the above, I found a few recent emails containing the URLs in the first entry, mentioned above, that were flagged. Those emails passed without notice when scanned as above. I removed that first entry, scanned again and the email were flagged. I then entered those URL's again, as the first line, this time in regex notation ("." escaped, no "http or https"), scanned again, and it was not flagged. Post your .wdb file here? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 2:02 PM, joe a wrote: On 8/11/2022 1:17 PM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? You presume a lot. The documentation seems to say otherwise: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format Well!. Thanks for the direct links. The content appears a bit different than I recall, when attempting to decipher it some months back. Might even prove enjoyable wading through it, were I an S enthusiast. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat I do not understand why, when entering more than one URL, the first line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match when entered "in plain text", while subsequent lines seem to want actual "regex" notation (escaped "."), with only the domains entered. At least that is what it seems takes to "run clean" when re-scanned in debug mode. To add do the above, I found a few recent emails containing the URLs in the first entry, mentioned above, that were flagged. Those emails passed without notice when scanned as above. I removed that first entry, scanned again and the email were flagged. I then entered those URL's again, as the first line, this time in regex notation ("." escaped, no "http or https"), scanned again, and it was not flagged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
On 8/11/2022 1:17 PM, G.W. Haywood via clamav-users wrote: Hi there, On Thu, 11 Aug 2022, joe a wrote: A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? You presume a lot. The documentation seems to say otherwise: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format Well!. Thanks for the direct links. The content appears a bit different than I recall, when attempting to decipher it some months back. Might even prove enjoyable wading through it, were I an S enthusiast. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] excluding a URL from "heueristics" scanning
Hi there, On Thu, 11 Aug 2022, joe a wrote: A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? You presume a lot. The documentation seems to say otherwise: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] excluding a URL from "heueristics" scanning
A while back discussed excluding some URL's from triggering the heueristics scan. Seemed to work. Postfix, spamassassin, clamav in use. Now seems some addtional URL's are involved. Perhaps I am doing something wrong here. Been determining (?) the offending URL's by examining the entire email using: clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt then looking for offenders using: grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt entering the URL seen in "Real URL: http://some.url; into "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart clamd.service) I would presume re-scanning as above should no longer flag the offending URL(s)? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat