PATCH SweepViruses.pm - clamavmodule false positives - A PLEA!

Tue Aug 7 08:43:28 IST 2007

You only get the false positives problem if you are using clamavmodule
and have "ClamAV Full Message Scan = yes".
Yo can turn off full message scanning but then some of the clamav
signatures are unable to detect some of the phishing attacks. This is
most noticeable if you are using the sanesecurity additional rules.

It is just a couple of lines which need adding to SweepViruses.pm and I
can send you an updated file if you wish.

On Tue, 2007-08-07 at 08:05, Quentin Campbell wrote:
> Julian
> 
> If you do release a new version of 4.62.9 to fix this I would be
> grateful if you could also make available a copy of the updated
> SweepViruses.pm file.
> 
> I have just finished upgrading 12 mail gateways to 4.62.9-2 and SA 3.2.2
> and cannot afford to go through the whole process of installing MS again
> so soon. If it is just a single *.pm that needs replacing then that is
> easy enough.
> 
> How serious is this 'false positive' problem? Is it correct that I can
> avoid the bug by setting "ClamAV Full Message Scan = no" and do I lose
> much by doing that?
> 
> Thanks
> 
> Quentin
> 
> 
> >-----Original Message-----
> >From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> >bounces at lists.mailscanner.info] On Behalf Of Julian Field
> >Sent: 06 August 2007 15:16
> >To: MailScanner discussion
> >Subject: Re: PATCH SweepViruses.pm - clamavmodule false positives
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >You only actually want to apply the first of the 2 patches, as you only
> >want to affect the code that scans the *.message and *.header files.
> >
> >It will be in the next release.
> >
> >Please can some other people test this and confirm it works reliably?
> >
> >Gareth wrote:
> >> Attached is a patch for SweepViruses.pm which fixes the false
> >positives
> >> issue with Phishing.Heuristics.Email.SpoofedDomain when using
> >> Clamavmodule and the full message scan option.
> >>
> >> It passes the CL_SCAN_PHISHING_DOMAINLIST option which according to
> >the
> >> clamavmodule source :-
> >> =item CL_SCAN_PHISHING_DOMAINLIST
> >> Phishing module: restrict URL scanning to domains from .pdf
> >> (RECOMMENDED).
> >>
> >> I believe that as this option was not previously set it is equivalent
> >to
> >> the following clamscan option :-
> >>        --no-phishing-restrictedscan
> >>        Enable url-based heuristic phishing detection for all domains
> >> (might lead to false positives!).
> >>
> >> Personally I think CL_SCAN_PHISHING_DOMAINLIST should do the same as
> >> --no-phishing-restrictedscan and not be the inverse of it. Maybe a
> >bug.
> >> I will contact the author about it anyway.
> >>
> >> I dont really know what this option does exactly but it is a
> >recommended
> >> setting, its name seems to indicate it is related to the false
> >positives
> >> I was getting, and setting it does seem to have cured the problem.
> >>
> >
> >Jules
> >
> >- --
> >Julian Field MEng CITP
> >www.MailScanner.info
> >Buy the MailScanner book at www.MailScanner.info/store
> >
> >Need help customising MailScanner?
> >Contact me!
> >Need help fixing or optimising your systems?
> >Contact me!
> >Need help getting you started solving new requirements from your boss?
> >Contact me!
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGP Desktop 9.6.2 (Build 2014)
> >Comment: (pgp-secured)
> >Charset: ISO-8859-1
> >
> >wj8DBQFGty0vEfZZRxQVtlQRAgNvAKClvd3nYnkZaaePge//JWDYGr8gVACgv7+H
> >ApgOZBY/pz0cF9ZPiEkxnxs=
> >=Jnzy
> >-----END PGP SIGNATURE-----
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content by MailScanner, and is
> >believed to be clean.
> >For all your IT requirements visit www.transtec.co.uk
> >
> >--
> >MailScanner mailing list
> >mailscanner at lists.mailscanner.info
> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >Before posting, read http://wiki.mailscanner.info/posting
> >
> >Support MailScanner development - buy the book off the website!