PATCH SweepViruses.pm - clamavmodule false positives

Gareth list-mailscanner at linguaphone.com
Mon Aug 6 15:33:26 IST 2007


What does the 2nd patch affect?
Is that when you are not using the full message scan option?

In that case I would still suggest applying the 2nd patch as when I
looked through my logs I noticed that it did have a single false
positive where it matched a legit failed delivery notice.
Since the option disables a check on raw messages which should not be
there and the fact that the option is the default in clamscan/clamd it
makes sense to me for it to be in.

On Mon, 2007-08-06 at 15:16, Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> You only actually want to apply the first of the 2 patches, as you only 
> want to affect the code that scans the *.message and *.header files.
> 
> It will be in the next release.
> 
> Please can some other people test this and confirm it works reliably?
> 
> Gareth wrote:
> > Attached is a patch for SweepViruses.pm which fixes the false positives
> > issue with Phishing.Heuristics.Email.SpoofedDomain when using
> > Clamavmodule and the full message scan option.
> >
> > It passes the CL_SCAN_PHISHING_DOMAINLIST option which according to the
> > clamavmodule source :-
> > =item CL_SCAN_PHISHING_DOMAINLIST
> > Phishing module: restrict URL scanning to domains from .pdf
> > (RECOMMENDED).
> >
> > I believe that as this option was not previously set it is equivalent to
> > the following clamscan option :-
> >        --no-phishing-restrictedscan
> >        Enable url-based heuristic phishing detection for all domains
> > (might lead to false positives!).
> >
> > Personally I think CL_SCAN_PHISHING_DOMAINLIST should do the same as
> > --no-phishing-restrictedscan and not be the inverse of it. Maybe a bug.
> > I will contact the author about it anyway.
> >
> > I dont really know what this option does exactly but it is a recommended
> > setting, its name seems to indicate it is related to the false positives
> > I was getting, and setting it does seem to have cured the problem.
> >   
> 
> Jules
> 
> - -- 
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.2 (Build 2014)
> Comment: (pgp-secured)
> Charset: ISO-8859-1
> 
> wj8DBQFGty0vEfZZRxQVtlQRAgNvAKClvd3nYnkZaaePge//JWDYGr8gVACgv7+H
> ApgOZBY/pz0cF9ZPiEkxnxs=
> =Jnzy
> -----END PGP SIGNATURE-----
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list