ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain

donald.dawson at bakerbotts.com donald.dawson at bakerbotts.com
Thu Oct 1 23:26:17 IST 2009


We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17
version).  We installed clam via the MS tar ball.  Clam is our only AV
and is called by MS via /usr/lib/MailScanner/clamav-wrapper.

We have been getting FPs on some newsletters due to Phishing Heuristics
in clam.  We also found that MS does not appear to use a clamd.conf or
freshclam.conf file.  To get around the FP Phishing Heuristics problem,
we modified the clamav-wrapper to turn off heuristic url scans (line 152
added in clamav-wrapper script):

ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no"

I would rather not edit the delivered MS script.  Is there a clam config
file used by MS?  

Where would I put the '--phishing-scan-urls=no' option?  

Lastly, is it preferable to install clamav, clamav-db and clamd RPMs
versus letting MS load clamscan for every email?

...from the tarball clam/SA install.sh script:

echo 'There are 2 recommended ways of installing ClamAV, depending on'
echo 'various factors.'
echo 'If you want to use MailScanners support for Clamd (virus-scanning'
echo 'daemon) then I recommend you cancel this script now (press
Ctrl-C)'
echo 'and install the RPMs for clamav, clamav-db and clamd from'
echo '     http://packages.sw.be/clamav/'
echo 'Then re-run this script and tell me that clamscan is installed in'
echo '/usr/bin. This will set up your virus.scanners.conf file for you.'
echo
echo 'Otherwise you probably want me to install ClamAV now. So answer
y.'

Jules - thank you for a great product!  

Donald Dawson
Security Administrator
Baker Botts L.L.P.
One Shell Plaza
910 Louisiana
Houston, TX 77002
W: 713-229-2183

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091001/35f0bc9d/attachment.html


More information about the MailScanner mailing list