ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain

Fri Oct 2 21:15:38 IST 2009

On 02/10/2009 17:43, donald.dawson at bakerbotts.com wrote:
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jules
> Field
> Sent: Friday, October 02, 2009 2:35 AM
> To: MailScanner discussion
> Subject: Re: ClamAVModule::INFECTED::
> Phishing.Heuristics.Email.SpoofedDomain
>
> As you are clearly trying to use a new feature ("Spam-Virus"es) that I
> just introduced, I think you will find all your problems are solved
> using the new "Spam-Virus" feature in 4.78.
>
> On 01/10/2009 23:26, donald.dawson at bakerbotts.com wrote:
>    
>> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17
>> version).  We installed clam via the MS tar ball.  Clam is our only AV
>>      
>    
>> and is called by MS via /usr/lib/MailScanner/clamav-wrapper.
>>
>> We have been getting FPs on some newsletters due to Phishing
>> Heuristics in clam.  We also found that MS does not appear to use a
>> clamd.conf or freshclam.conf file.  To get around the FP Phishing
>> Heuristics problem, we modified the clamav-wrapper to turn off
>> heuristic url scans (line 152 added in clamav-wrapper script):
>>
>> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no"
>>
>> I would rather not edit the delivered MS script.  Is there a clam
>> config file used by MS?
>>
>> Where would I put the '--phishing-scan-urls=no' option?
>>
>> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs
>> versus letting MS load clamscan for every email?
>>
>> ...from the tarball clam/SA install.sh script:
>>
>> echo 'There are 2 recommended ways of installing ClamAV, depending on'
>> echo 'various factors.'
>> echo 'If you want to use MailScanners support for Clamd
>>      
> (virus-scanning'
>    
>> echo 'daemon) then I recommend you cancel this script now (press
>>      
> Ctrl-C)'
>    
>> echo 'and install the RPMs for clamav, clamav-db and clamd from'
>> echo ' _http://packages.sw.be/clamav/_'
>> echo 'Then re-run this script and tell me that clamscan is installed
>>      
> in'
>    
>> echo '/usr/bin. This will set up your virus.scanners.conf file for
>>      
> you.'
>    
>> echo
>> echo 'Otherwise you probably want me to install ClamAV now. So answer
>>      
> y.'
>    
>> Jules - thank you for a great product!
>>
>> Donald Dawson
>> Security Administrator
>> Baker Botts L.L.P.
>> One Shell Plaza
>> 910 Louisiana
>> Houston, TX 77002
>> W: 713-229-2183
>>
>>      
> Jules
>
> --------------
>
> Jules, would you also recommend installing the clamd rpm versus letting
> MS run clamscan?
>    
Yes. It will be far faster. Just make sure you delete all signs of 
*clam* from /usr/local and its subdirectories, then install the clamd 
RPM, then "ldconfig" to make sure it picks up all the new shared 
libraries supplied by the RPMs.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.