Re: [clamav-users] allowlist/fixing false positive
Hi there, On Thu, 3 Mar 2022, Alex via clamav-users wrote: The cld version was dated Sept 19th (since manually deleted) and the cvd version is dated Sept 22nd. I'll have to see if it returns. I suspect that the cld version was created when you updated the ClamAV utilities from the distribution's packages. I think I've seen this on another occasion here on the list not long ago, maybe worth a search. btw, can I ask if people are still using the Google safebrowsing database with the api key? I can only speak from my own experience. I never saw the safebrowsing database catch anything, and When Sourcefire stopped distributing it I stopped using it. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] allowlist/fixing false positive
Hi, > >How do I exclude this email from being tagged without having to bypass > >the Heuristics.Phishing.Email.SpoofedDomain rule altogether? > > > >X-Amavis-Alert: INFECTED, message contains virus: > >Heuristics.Phishing.Email.SpoofedDomain > > I think this can be enabled by disabling PhishingScanURLs in clamd.conf > I also think amavis has way to handle this kind of clamav result > differently, but that's question for amavis, not for clamav. I've located this amavisd entry I created many years ago and could probably adapt to bypass this rule, but I'm not sure that's what I want. @virus_name_to_spam_score_maps = (new_RE( # the order matters, first match wins [ qr'^Heuristics.OLE2.ContainsMacros'=> 1.1 ], )); I don't believe the NCUA is using these lnk.gd links maliciously, but perhaps that's misguided thinking, and hoped there was a way to bypass the restriction for this sender or this email. > >Also, I keep deleting the main.cvd database but it keeps replacing it. > >How do I configure clamav so it only updates one of the main database > >types? > > > >clamscan -v virus-20220228T143424-suCp6LTlKRG5 > >LibClamAV Warning: Detected duplicate databases > >/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually > >remove one of them > > do you have both of them? which one is older? > Don't you have old clamav(-freshclam) installation hanging somewhere? The cld version was dated Sept 19th (since manually deleted) and the cvd version is dated Sept 22nd. I'll have to see if it returns. I have freshclam in a cron script, as well as the clamav-unofficial-sigs script, but I just ran each independently and neither created the cld version on its own. Running freshclam manually shows: # freshclam -v Current working dir is /var/lib/clamav/ Loaded freshclam.dat: version:1 uuid: 3c2d69eb-43f9-4dc2-b65d-c765960e1b15 ClamAV update process started at Thu Mar 3 10:52:04 2022 Current working dir is /var/lib/clamav/ Querying current.cvd.clamav.net TTL: 1800 fc_dns_query_update_info: Software version from DNS: 0.103.5 Current working dir is /var/lib/clamav/ check_for_new_database_version: Local copy of daily found: daily.cld. query_remote_database_version: daily.cvd version from DNS: 26470 daily.cld database is up-to-date (version: 26470, sigs: 1975302, f-level: 90, builder: raynman) fc_update_database: daily.cld already up-to-date. Current working dir is /var/lib/clamav/ check_for_new_database_version: Local copy of main found: main.cvd. query_remote_database_version: main.cvd version from DNS: 62 main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) fc_update_database: main.cvd already up-to-date. Current working dir is /var/lib/clamav/ check_for_new_database_version: Local copy of bytecode found: bytecode.cvd. query_remote_database_version: bytecode.cvd version from DNS: 333 bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) fc_update_database: bytecode.cvd already up-to-date. [root@armor cron.d]# ls -lh /var/lib/clamav/main* -rw-r--r-- 1 clamupdate clamupdate 163M Sep 22 10:01 /var/lib/clamav/main.cvd [root@armor cron.d]# ls -l /var/lib/clamav/daily* -rw-r--r-- 1 clamupdate clamupdate 182230528 Mar 3 06:31 /var/lib/clamav/daily.cld There's also a reference to the cld file in /etc/freshclam.conf: # By default freshclam will keep the local databases (.cld) uncompressed to # make their handling faster. With this option you can enable the compression; # the change will take effect with the next database update. # Default: no #CompressLocalDatabase no btw, can I ask if people are still using the Google safebrowsing database with the api key? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] allowlist/fixing false positive
On 01.03.22 17:15, Alex via clamav-users wrote: I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I have a newsletter from ncua.gov that keeps getting blocked because it apparently contains links.gd in the body somewhere, although I can't find it. How do I exclude this email from being tagged without having to bypass the Heuristics.Phishing.Email.SpoofedDomain rule altogether? X-Amavis-Alert: INFECTED, message contains virus: Heuristics.Phishing.Email.SpoofedDomain I think this can be enabled by disabling PhishingScanURLs in clamd.conf I also think amavis has way to handle this kind of clamav result differently, but that's question for amavis, not for clamav. Also, I keep deleting the main.cvd database but it keeps replacing it. How do I configure clamav so it only updates one of the main database types? clamscan -v virus-20220228T143424-suCp6LTlKRG5 LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them do you have both of them? which one is older? Don't you have old clamav(-freshclam) installation hanging somewhere? LibClamAV info: Real URL:https://lnks.gd LibClamAV info: Display URL: chairmanharpersfullremarksareavailableonncua.gov /root/quarantine/virus-20220228T143424-suCp6LTlKRG5: Heuristics.Phishing.Email.SpoofedDomain FOUND -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] allowlist/fixing false positive
Hi there, On Tue, 1 Mar 2022, Alex via clamav-users wrote: I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I have a newsletter from ncua.gov that keeps getting blocked because it The providers of Fedora do some IMHO slightly odd things with ClamAV packaging which sometimes show up here on the mailing list. More on that later. apparently contains links.gd in the body somewhere, although I can't find it. How did you look?! The string is present in the message eight times. The line numbers are shown below: 8<-- $ grep -n 'lnks\.gd' EXZ1fDpK.raw 357: margin: 0 0 15px;">https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJ= 564:ca,sans-serif">https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxs= 571:" alt=3D"Facebook"> =A0 https://lnks.gd/l/eyJhbGciOiJIUzI1= 578:original.png" alt=3D"Twitter"> =A0 https://lnks.gd/l/eyJhb= 586:tps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVy= 600:https://lnks.gd/l= 606:rel=3D"noopener">Unsubscribe=A0|=A0 https://lnks.gd/l/eyJh= 644:op" width=3D"95">https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidW= 8<-- How do I exclude this email from being tagged without having to bypass the Heuristics.Phishing.Email.SpoofedDomain rule altogether? Given the limitation you impose (not bypassing the rule altogether) that's probably not a ClamAV question. You can whitelist things in several ways. Although I've never used Amavis myself I'm sure that you can use its whitelisting features. Try searching for something like that in the Amavis documentation, if you don't come up with an easy way to do it drop me a private message. (It will be rejected, but you don't need to worry about that - I'll still read it. :) Also, I keep deleting the main.cvd database but it keeps replacing it. How do I configure clamav so it only updates one of the main database types? My guess is that you somehow have two update mechanisms operating, and that you need to stop one of them. There are probably two 'freshclam' processes running. At a guess one of them is running 24/7 as a daemon and the other one is running from a cron job or similar. This is what I meant by some slightly odd things in Fedora - I think they might be making it too easy for people to get into this position because of the way they split up and repackage various parts of ClamAV. You might find that it's less of an issue if you use the package from the ClamAV Website instead of the Fedora packages, but sometimes 'management' and 'policy' and things like that intrude to make that difficult. I have to repeat that a lot of what I've said in this paragraph is guesswork. If it helps, great, if not please do get back to us. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] allowlist/fixing false positive
Alex via clamav-users wrote: Hi, I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I have a newsletter from ncua.gov that keeps getting blocked because it apparently contains links.gd in the body somewhere, although I can't find it. How do I exclude this email from being tagged without having to bypass the Heuristics.Phishing.Email.SpoofedDomain rule altogether? Putting aside all of the "why are you idiots sending mail that triggers this test in the first place" grumpiness at the senders, I'd recommend redesigning your mail flow so that this is only triggered in a Clam instance whose results are score in SpamAssassin or some other layer where this particular test can be scored alongside other things. I gave up chasing FPs on it when used as a hard pass/fail check. Too many places that should really know better... apparently don't. :/ (Seriously, why are so many places using URL shorteners as the link targets in HTML mail? It's not like the eleventy-gazillion characters of clicktracker are taking up visual space in the message...) If you still want to press on, look up the ".wdb" signature file (seems to be available at https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format now), and add lines similar to these: X:.+\.accountonline\.com:.+\.citibank\.com M:click.info4.accountonline.com:image.info9.citibank.com I sometimes had to fiddle and guess and shorten and lengthen and swap the URI elements to get it to properly match and exclude the link from this test; good luck. Also, I keep deleting the main.cvd database but it keeps replacing it. How do I configure clamav so it only updates one of the main database types? clamscan -v virus-20220228T143424-suCp6LTlKRG5 LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them O_o That's a new one on me. I don't recall ever having spontaneously had both regenerate, and IIRC it's been a while since I've even seen the .cvd on live systems I maintain. (At a quick look, all of them seem to just have the .cld files.) Maybe remove the file, and run freshclam -D to see if that gives any more detail about what's going on? Maybe remove the .cld and see what freshclam does? Maybe remove *ALL* files in the ClamAV database directory path, and let freshclam download complete fresh copies of everything? -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] allowlist/fixing false positive
Hi, I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I have a newsletter from ncua.gov that keeps getting blocked because it apparently contains links.gd in the body somewhere, although I can't find it. How do I exclude this email from being tagged without having to bypass the Heuristics.Phishing.Email.SpoofedDomain rule altogether? X-Amavis-Alert: INFECTED, message contains virus: Heuristics.Phishing.Email.SpoofedDomain Also, I keep deleting the main.cvd database but it keeps replacing it. How do I configure clamav so it only updates one of the main database types? clamscan -v virus-20220228T143424-suCp6LTlKRG5 LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them Scanning /root/quarantine/virus-20220228T143424-suCp6LTlKRG5 LibClamAV info: Suspicious link found! LibClamAV info: Real URL:https://lnks.gd LibClamAV info: Display URL: chairmanharpersfullremarksareavailableonncua.gov /root/quarantine/virus-20220228T143424-suCp6LTlKRG5: Heuristics.Phishing.Email.SpoofedDomain FOUND The entire email can be found here: https://pastebin.com/EXZ1fDpK ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml