ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain

donald.dawson at bakerbotts.com donald.dawson at bakerbotts.com
Tue Oct 6 21:20:14 IST 2009


lint shows:

MailScanner.conf says "Virus Scanners = auto"
Found these virus scanners installed: clamavmodule

from MailScanner.conf:

Virus Scanners = auto

from virus.scanners.conf:

clamav              /usr/lib/MailScanner/clamav-wrapper     /usr/local
clamd               /bin/false                              /usr/local
clamavmodule        /bin/false                              /tmp

should I explicitly say 'clamav' instead of 'auto'?

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jules
Field
Sent: Tuesday, October 06, 2009 3:05 PM
To: MailScanner discussion
Subject: Re: ClamAVModule::INFECTED::
Phishing.Heuristics.Email.SpoofedDomain

Just the same way it always has, I haven't changed that at all.

If your Virus Scanners = clamav then it will use the clamav-wrapper
script.
If your Virus Scanners = clamavmodule then it will use the library.
If your Virus Scanners = clamd then it will talk straight to clamd.

Run "MailScanner --lint" to see what "Virus Scanners = auto" might do.

On 06/10/2009 20:19, donald.dawson at bakerbotts.com wrote:
> How is clamscan called by the new 4.78 version?  It does not appear to
> be using the /usr/lib/MailScanner/clamav-wrapper script.  I am not yet
> using clamd.
>
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> One Shell Plaza
> 910 Louisiana
> Houston, TX 77002
> W: 713-229-2183
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> donald.dawson at bakerbotts.com
> Sent: Friday, October 02, 2009 11:44 AM
> To: mailscanner at lists.mailscanner.info
> Subject: RE: ClamAVModule::INFECTED::
> Phishing.Heuristics.Email.SpoofedDomain
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jules
> Field
> Sent: Friday, October 02, 2009 2:35 AM
> To: MailScanner discussion
> Subject: Re: ClamAVModule::INFECTED::
> Phishing.Heuristics.Email.SpoofedDomain
>
> As you are clearly trying to use a new feature ("Spam-Virus"es) that I
> just introduced, I think you will find all your problems are solved
> using the new "Spam-Virus" feature in 4.78.
>
> On 01/10/2009 23:26, donald.dawson at bakerbotts.com wrote:
>    
>> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17
>> version).  We installed clam via the MS tar ball.  Clam is our only
AV
>>      
>    
>> and is called by MS via /usr/lib/MailScanner/clamav-wrapper.
>>
>> We have been getting FPs on some newsletters due to Phishing
>> Heuristics in clam.  We also found that MS does not appear to use a
>> clamd.conf or freshclam.conf file.  To get around the FP Phishing
>> Heuristics problem, we modified the clamav-wrapper to turn off
>> heuristic url scans (line 152 added in clamav-wrapper script):
>>
>> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no"
>>
>> I would rather not edit the delivered MS script.  Is there a clam
>> config file used by MS?
>>
>> Where would I put the '--phishing-scan-urls=no' option?
>>
>> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs
>> versus letting MS load clamscan for every email?
>>
>> ...from the tarball clam/SA install.sh script:
>>
>> echo 'There are 2 recommended ways of installing ClamAV, depending
on'
>> echo 'various factors.'
>> echo 'If you want to use MailScanners support for Clamd
>>      
> (virus-scanning'
>    
>> echo 'daemon) then I recommend you cancel this script now (press
>>      
> Ctrl-C)'
>    
>> echo 'and install the RPMs for clamav, clamav-db and clamd from'
>> echo ' _http://packages.sw.be/clamav/_'
>> echo 'Then re-run this script and tell me that clamscan is installed
>>      
> in'
>    
>> echo '/usr/bin. This will set up your virus.scanners.conf file for
>>      
> you.'
>    
>> echo
>> echo 'Otherwise you probably want me to install ClamAV now. So answer
>>      
> y.'
>    
>> Jules - thank you for a great product!
>>
>> Donald Dawson
>> Security Administrator
>> Baker Botts L.L.P.
>> One Shell Plaza
>> 910 Louisiana
>> Houston, TX 77002
>> W: 713-229-2183
>>
>>      
> Jules
>
> --------------
>
> Jules, would you also recommend installing the clamd rpm versus
letting
> MS run clamscan?
>
> Thanks,
> Donald
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


More information about the MailScanner mailing list