PATCH SweepViruses.pm - clamavmodule false positives
MailScanner at ecs.soton.ac.uk
Mon Aug 6 15:48:55 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Okay, if it has caused a second false positive in that situation, then I
would advise both patches after all.
By the way, when doing diffs for use in patches, please do a "diff
- -Naur" as that gives patches in a nice concise format but with enough
context. Diffs without any context are impossible to reliably apply.
> What does the 2nd patch affect?
> Is that when you are not using the full message scan option?
> In that case I would still suggest applying the 2nd patch as when I
> looked through my logs I noticed that it did have a single false
> positive where it matched a legit failed delivery notice.
> Since the option disables a check on raw messages which should not be
> there and the fact that the option is the default in clamscan/clamd it
> makes sense to me for it to be in.
> On Mon, 2007-08-06 at 15:16, Julian Field wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> You only actually want to apply the first of the 2 patches, as you only
>> want to affect the code that scans the *.message and *.header files.
>> It will be in the next release.
>> Please can some other people test this and confirm it works reliably?
>> Gareth wrote:
>>> Attached is a patch for SweepViruses.pm which fixes the false positives
>>> issue with Phishing.Heuristics.Email.SpoofedDomain when using
>>> Clamavmodule and the full message scan option.
>>> It passes the CL_SCAN_PHISHING_DOMAINLIST option which according to the
>>> clamavmodule source :-
>>> =item CL_SCAN_PHISHING_DOMAINLIST
>>> Phishing module: restrict URL scanning to domains from .pdf
>>> I believe that as this option was not previously set it is equivalent to
>>> the following clamscan option :-
>>> Enable url-based heuristic phishing detection for all domains
>>> (might lead to false positives!).
>>> Personally I think CL_SCAN_PHISHING_DOMAINLIST should do the same as
>>> --no-phishing-restrictedscan and not be the inverse of it. Maybe a bug.
>>> I will contact the author about it anyway.
>>> I dont really know what this option does exactly but it is a recommended
>>> setting, its name seems to indicate it is related to the false positives
>>> I was getting, and setting it does seem to have cured the problem.
>> - --
>> Julian Field MEng CITP
>> Buy the MailScanner book at www.MailScanner.info/store
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.6.2 (Build 2014)
>> Comment: (pgp-secured)
>> Charset: ISO-8859-1
>> -----END PGP SIGNATURE-----
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> For all your IT requirements visit www.transtec.co.uk
Julian Field MEng CITP
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
-----END PGP SIGNATURE-----
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner