PATCH SweepViruses.pm - clamavmodule false positives
Julian Field
MailScanner at ecs.soton.ac.uk
Mon Aug 6 15:48:55 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay, if it has caused a second false positive in that situation, then I
would advise both patches after all.
By the way, when doing diffs for use in patches, please do a "diff
- -Naur" as that gives patches in a nice concise format but with enough
context. Diffs without any context are impossible to reliably apply.
Gareth wrote:
> What does the 2nd patch affect?
> Is that when you are not using the full message scan option?
>
> In that case I would still suggest applying the 2nd patch as when I
> looked through my logs I noticed that it did have a single false
> positive where it matched a legit failed delivery notice.
> Since the option disables a check on raw messages which should not be
> there and the fact that the option is the default in clamscan/clamd it
> makes sense to me for it to be in.
>
> On Mon, 2007-08-06 at 15:16, Julian Field wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You only actually want to apply the first of the 2 patches, as you only
>> want to affect the code that scans the *.message and *.header files.
>>
>> It will be in the next release.
>>
>> Please can some other people test this and confirm it works reliably?
>>
>> Gareth wrote:
>>
>>> Attached is a patch for SweepViruses.pm which fixes the false positives
>>> issue with Phishing.Heuristics.Email.SpoofedDomain when using
>>> Clamavmodule and the full message scan option.
>>>
>>> It passes the CL_SCAN_PHISHING_DOMAINLIST option which according to the
>>> clamavmodule source :-
>>> =item CL_SCAN_PHISHING_DOMAINLIST
>>> Phishing module: restrict URL scanning to domains from .pdf
>>> (RECOMMENDED).
>>>
>>> I believe that as this option was not previously set it is equivalent to
>>> the following clamscan option :-
>>> --no-phishing-restrictedscan
>>> Enable url-based heuristic phishing detection for all domains
>>> (might lead to false positives!).
>>>
>>> Personally I think CL_SCAN_PHISHING_DOMAINLIST should do the same as
>>> --no-phishing-restrictedscan and not be the inverse of it. Maybe a bug.
>>> I will contact the author about it anyway.
>>>
>>> I dont really know what this option does exactly but it is a recommended
>>> setting, its name seems to indicate it is related to the false positives
>>> I was getting, and setting it does seem to have cured the problem.
>>>
>>>
>> Jules
>>
>> - --
>> Julian Field MEng CITP
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.6.2 (Build 2014)
>> Comment: (pgp-secured)
>> Charset: ISO-8859-1
>>
>> wj8DBQFGty0vEfZZRxQVtlQRAgNvAKClvd3nYnkZaaePge//JWDYGr8gVACgv7+H
>> ApgOZBY/pz0cF9ZPiEkxnxs=
>> =Jnzy
>> -----END PGP SIGNATURE-----
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> For all your IT requirements visit www.transtec.co.uk
>>
>
>
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Comment: (pgp-secured)
Charset: ISO-8859-1
wj8DBQFGtzTYEfZZRxQVtlQRAk1vAKCWacUcv9e74uvL/BXJjw8AL84PcACgpXVk
eTYXKllqJ7aYY7qaQt0X4XU=
=s29h
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list