Re: [clamav-users] Heuristics, only on or off?
Joe Acquisto-j4 wrote: In log find (snipped) ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" This is enabled by the AlertOLE2Macros directive in clamd.conf ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" This is enabled by the PhishingScanURLs directive in clamd.conf. I love the first one but loathe the second one. Is there some secret sauce to allow discriminating between them? Read the man page for clamd.conf. You may have to do some testing in a sandbox with some sample emails to determine exactly which combination of these and several apparently related settings you want enabled. On the systems I maintain, I found that PhishingScanURLs suffered from too many false positives (albeit mostly on mail from senders that should really know better - I'm looking at you, major financial institutions), so I disabled it for hard pass/fail scanning. I set up a secondary clamd instance with these and a number of other potentially FP-prone options as well as a collection of variously potentially risky third party and local signatures, but without the stock signatures. This second instance is called from SpamAssassin for scoring instead of hard pass/fail. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off?
Hi there, On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote: On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" and ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" I love the first one but loathe the second one. I don't think I understand the question. There are two distinct names for two different classes of threat. What exactly are you looking for that isn't provided by the names? Do you mean distinguishing between individual examples of the type of threat? Perhaps you should be looking at your log verbosity, or perhaps something which analyzes suspect data more thoroughly. Are these logs the result of scanning filesystems, scanning mail, or...? I was not clear. ... Correct. The "spoofed domain" is the one I would rather allow to pass through without comment or quarantine as some are "legitmate". But the docs did warn about "false posititves". Although pedantic types (who me?) might argue it is not a "false positive" if it met the testing criteria. So this is only when you're scanning mail? That settles that, apparently. All or nothing. Not necessarily. But it will help enormously if you will answer my questions. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off?
On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: In log find (snipped) ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" and ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" I love the first one but loathe the second one. Is there some secret sauce to allow discriminating between them? If I remember correctly, I used to do this in my MTA - exim, filtering in the ACL based on the text wjich you are logging. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off?
Sent from my iPad > On Mar 23, 2021, at 18:29, Joe Acquisto-j4 wrote: > > The "spoofed domain" is the one I would rather allow to pass through without > comment or quarantine as some are "legitmate". But the docs did warn > about "false posititves". Although pedantic types (who me?) might argue it > is not a "false positive" if it met the testing criteria. There is a whitelist capability (M & X records) that allow designated alternative domains to pass the heuristics tests, but my observation over several years now is that nobody seems to be maintaining those entries, resulting in the FP's observed. I can only guess that most users leave the option disabled resulting in whitelist maintenance not being a priority. -Al- ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off?
> On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote: >> On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: >> >> > In log find (snipped) >> >> Full marks for reading your logs. :) >> >> > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" >> > >> > and >> > >> > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" >> > >> > I love the first one but loathe the second one. >> >> That's your prerogative, of course, but both are generic threat descriptions >> which are applied to a number of potential threats. >> I don't see why anyone would like one and dislike the other, but then I > don't >> get sentimental about the descriptions of signatures. >> >> > Is there some secret sauce to allow discriminating between them? >> >> I don't think I understand the question. I was not clear. Mark guessed correctly. See below >> There are two distinct names for two different classes of threat. >> What exactly are you looking for that isn't provided by the names? >> Do you mean distinguishing between individual examples of the type of >> threat? Perhaps you should be looking at your log verbosity, or perhaps >> something which analyzes suspect data more thoroughly. Are these logs the >> result of scanning filesystems, scanning mail, or...? > > Although these two (and possibly other Heuristics) are indeed reported > uniquely, in real cases, I get absolute false positives on the SpoofedDomain The "spoofed domain" is the one I would rather allow to pass through without comment or quarantine as some are "legitmate". But the docs did warn about "false posititves". Although pedantic types (who me?) might argue it is not a "false positive" if it met the testing criteria. > for "legitimate" messages while I'd always want to stop the ContainsMacros > case. By "legitimate" here, I'm not saying that whatever heuristic is being > > interpreted incorrectly, but merely that real email from legitimate senders > is being sent to users who expect to get that specific email. > > Disabling all heuristics avoids all of these detections... That settles that, apparently. All or nothing. joe a, >> Mark > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off?
On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote: > On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: > > > In log find (snipped) > > Full marks for reading your logs. :) > > > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" > > > > and > > > > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" > > > > I love the first one but loathe the second one. > > That's your prerogative, of course, but both are generic threat descriptions > which are applied to a number of potential threats. > I don't see why anyone would like one and dislike the other, but then I don't > get sentimental about the descriptions of signatures. > > > Is there some secret sauce to allow discriminating between them? > > I don't think I understand the question. > > There are two distinct names for two different classes of threat. > What exactly are you looking for that isn't provided by the names? > Do you mean distinguishing between individual examples of the type of > threat? Perhaps you should be looking at your log verbosity, or perhaps > something which analyzes suspect data more thoroughly. Are these logs the > result of scanning filesystems, scanning mail, or...? Although these two (and possibly other Heuristics) are indeed reported uniquely, in real cases, I get absolute false positives on the SpoofedDomain for "legitimate" messages while I'd always want to stop the ContainsMacros case. By "legitimate" here, I'm not saying that whatever heuristic is being interpreted incorrectly, but merely that real email from legitimate senders is being sent to users who expect to get that specific email. Disabling all heuristics avoids all of these detections... - Mark ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off?
Hi there, On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: In log find (snipped) Full marks for reading your logs. :) ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" and ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" I love the first one but loathe the second one. That's your prerogative, of course, but both are generic threat descriptions which are applied to a number of potential threats. I don't see why anyone would like one and dislike the other, but then I don't get sentimental about the descriptions of signatures. Is there some secret sauce to allow discriminating between them? I don't think I understand the question. There are two distinct names for two different classes of threat. What exactly are you looking for that isn't provided by the names? Do you mean distinguishing between individual examples of the type of threat? Perhaps you should be looking at your log verbosity, or perhaps something which analyzes suspect data more thoroughly. Are these logs the result of scanning filesystems, scanning mail, or...? I see very few examples of this sort of thing, maybe that's because I only use ClamAV to scan mail, and I drop large numbers of connections before the client even says 'EHLO'. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Heuristics, only on or off?
In log find (snipped) ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" and ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" I love the first one but loathe the second one. Is there some secret sauce to allow discriminating between them? joe a ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml