PATCH SweepViruses.pm - clamavmodule false positives - A PLEA!

Tue Aug 7 08:05:59 IST 2007

Julian

If you do release a new version of 4.62.9 to fix this I would be
grateful if you could also make available a copy of the updated
SweepViruses.pm file.

I have just finished upgrading 12 mail gateways to 4.62.9-2 and SA 3.2.2
and cannot afford to go through the whole process of installing MS again
so soon. If it is just a single *.pm that needs replacing then that is
easy enough.

How serious is this 'false positive' problem? Is it correct that I can
avoid the bug by setting "ClamAV Full Message Scan = no" and do I lose
much by doing that?

Thanks

Quentin

>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>bounces at lists.mailscanner.info] On Behalf Of Julian Field
>Sent: 06 August 2007 15:16
>To: MailScanner discussion
>Subject: Re: PATCH SweepViruses.pm - clamavmodule false positives
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>You only actually want to apply the first of the 2 patches, as you only
>want to affect the code that scans the *.message and *.header files.
>
>It will be in the next release.
>
>Please can some other people test this and confirm it works reliably?
>
>Gareth wrote:
>> Attached is a patch for SweepViruses.pm which fixes the false
>positives
>> issue with Phishing.Heuristics.Email.SpoofedDomain when using
>> Clamavmodule and the full message scan option.
>>
>> It passes the CL_SCAN_PHISHING_DOMAINLIST option which according to
>the
>> clamavmodule source :-
>> =item CL_SCAN_PHISHING_DOMAINLIST
>> Phishing module: restrict URL scanning to domains from .pdf
>> (RECOMMENDED).
>>
>> I believe that as this option was not previously set it is equivalent
>to
>> the following clamscan option :-
>>        --no-phishing-restrictedscan
>>        Enable url-based heuristic phishing detection for all domains
>> (might lead to false positives!).
>>
>> Personally I think CL_SCAN_PHISHING_DOMAINLIST should do the same as
>> --no-phishing-restrictedscan and not be the inverse of it. Maybe a
>bug.
>> I will contact the author about it anyway.
>>
>> I dont really know what this option does exactly but it is a
>recommended
>> setting, its name seems to indicate it is related to the false
>positives
>> I was getting, and setting it does seem to have cured the problem.
>>
>
>Jules
>
>- --
>Julian Field MEng CITP
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>Need help customising MailScanner?
>Contact me!
>Need help fixing or optimising your systems?
>Contact me!
>Need help getting you started solving new requirements from your boss?
>Contact me!
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP Desktop 9.6.2 (Build 2014)
>Comment: (pgp-secured)
>Charset: ISO-8859-1
>
>wj8DBQFGty0vEfZZRxQVtlQRAgNvAKClvd3nYnkZaaePge//JWDYGr8gVACgv7+H
>ApgOZBY/pz0cF9ZPiEkxnxs=
>=Jnzy
>-----END PGP SIGNATURE-----
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>For all your IT requirements visit www.transtec.co.uk
>
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!