PATCH SweepViruses.pm - clamavmodule false positives - A PLEA!

Martin martin.lyberg at gmail.com
Mon Aug 13 14:24:50 IST 2007


Gareth wrote:
> You only get the false positives problem if you are using clamavmodule
> and have "ClamAV Full Message Scan = yes".
> Yo can turn off full message scanning but then some of the clamav
> signatures are unable to detect some of the phishing attacks. This is
> most noticeable if you are using the sanesecurity additional rules.
> 
> It is just a couple of lines which need adding to SweepViruses.pm and I
> can send you an updated file if you wish.


Hi Gareth,

I read about this in the mailscanner list, i've the same problem with 
falsepositives. Can you send me the updated file please? Is it just to 
replace the file, or do i have to do anything else?

Thank you

/ Martin


> 
> On Tue, 2007-08-07 at 08:05, Quentin Campbell wrote:
>> Julian
>>
>> If you do release a new version of 4.62.9 to fix this I would be
>> grateful if you could also make available a copy of the updated
>> SweepViruses.pm file.
>>
>> I have just finished upgrading 12 mail gateways to 4.62.9-2 and SA 3.2.2
>> and cannot afford to go through the whole process of installing MS again
>> so soon. If it is just a single *.pm that needs replacing then that is
>> easy enough.
>>
>> How serious is this 'false positive' problem? Is it correct that I can
>> avoid the bug by setting "ClamAV Full Message Scan = no" and do I lose
>> much by doing that?
>>
>> Thanks
>>
>> Quentin
>>
>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>> bounces at lists.mailscanner.info] On Behalf Of Julian Field
>>> Sent: 06 August 2007 15:16
>>> To: MailScanner discussion
>>> Subject: Re: PATCH SweepViruses.pm - clamavmodule false positives
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> You only actually want to apply the first of the 2 patches, as you only
>>> want to affect the code that scans the *.message and *.header files.
>>>
>>> It will be in the next release.
>>>
>>> Please can some other people test this and confirm it works reliably?
>>>
>>> Gareth wrote:
>>>> Attached is a patch for SweepViruses.pm which fixes the false
>>> positives
>>>> issue with Phishing.Heuristics.Email.SpoofedDomain when using
>>>> Clamavmodule and the full message scan option.
>>>>
>>>> It passes the CL_SCAN_PHISHING_DOMAINLIST option which according to
>>> the
>>>> clamavmodule source :-
>>>> =item CL_SCAN_PHISHING_DOMAINLIST
>>>> Phishing module: restrict URL scanning to domains from .pdf
>>>> (RECOMMENDED).
>>>>
>>>> I believe that as this option was not previously set it is equivalent
>>> to
>>>> the following clamscan option :-
>>>>        --no-phishing-restrictedscan
>>>>        Enable url-based heuristic phishing detection for all domains
>>>> (might lead to false positives!).
>>>>
>>>> Personally I think CL_SCAN_PHISHING_DOMAINLIST should do the same as
>>>> --no-phishing-restrictedscan and not be the inverse of it. Maybe a
>>> bug.
>>>> I will contact the author about it anyway.
>>>>
>>>> I dont really know what this option does exactly but it is a
>>> recommended
>>>> setting, its name seems to indicate it is related to the false
>>> positives
>>>> I was getting, and setting it does seem to have cured the problem.
>>>>
>>> Jules
>>>
>>> - --
>>> Julian Field MEng CITP
>>> www.MailScanner.info
>>> Buy the MailScanner book at www.MailScanner.info/store
>>>
>>> Need help customising MailScanner?
>>> Contact me!
>>> Need help fixing or optimising your systems?
>>> Contact me!
>>> Need help getting you started solving new requirements from your boss?
>>> Contact me!
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: PGP Desktop 9.6.2 (Build 2014)
>>> Comment: (pgp-secured)
>>> Charset: ISO-8859-1
>>>
>>> wj8DBQFGty0vEfZZRxQVtlQRAgNvAKClvd3nYnkZaaePge//JWDYGr8gVACgv7+H
>>> ApgOZBY/pz0cF9ZPiEkxnxs=
>>> =Jnzy
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>> For all your IT requirements visit www.transtec.co.uk
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
> 



More information about the MailScanner mailing list