ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain

Jules Field MailScanner at ecs.soton.ac.uk
Tue Oct 6 21:33:28 IST 2009



On 06/10/2009 21:20, donald.dawson at bakerbotts.com wrote:
> lint shows:
>
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: clamavmodule
>
> from MailScanner.conf:
>
> Virus Scanners = auto
>
> from virus.scanners.conf:
>
> clamav              /usr/lib/MailScanner/clamav-wrapper     /usr/local
> clamd               /bin/false                              /usr/local
> clamavmodule        /bin/false                              /tmp
>
> should I explicitly say 'clamav' instead of 'auto'?
>    
Yes, if that is what you want. It would be worth your while switching 
over to clamd at some point. But it does take a few minutes to do, so 
allocate time to the change properly. (Oh my! That's my ITIL voice 
talking :-)

Jules.

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jules
> Field
> Sent: Tuesday, October 06, 2009 3:05 PM
> To: MailScanner discussion
> Subject: Re: ClamAVModule::INFECTED::
> Phishing.Heuristics.Email.SpoofedDomain
>
> Just the same way it always has, I haven't changed that at all.
>
> If your Virus Scanners = clamav then it will use the clamav-wrapper
> script.
> If your Virus Scanners = clamavmodule then it will use the library.
> If your Virus Scanners = clamd then it will talk straight to clamd.
>
> Run "MailScanner --lint" to see what "Virus Scanners = auto" might do.
>
> On 06/10/2009 20:19, donald.dawson at bakerbotts.com wrote:
>    
>> How is clamscan called by the new 4.78 version?  It does not appear to
>> be using the /usr/lib/MailScanner/clamav-wrapper script.  I am not yet
>> using clamd.
>>
>>
>> Donald Dawson
>> Security Administrator
>> Baker Botts L.L.P.
>> One Shell Plaza
>> 910 Louisiana
>> Houston, TX 77002
>> W: 713-229-2183
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>> donald.dawson at bakerbotts.com
>> Sent: Friday, October 02, 2009 11:44 AM
>> To: mailscanner at lists.mailscanner.info
>> Subject: RE: ClamAVModule::INFECTED::
>> Phishing.Heuristics.Email.SpoofedDomain
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jules
>> Field
>> Sent: Friday, October 02, 2009 2:35 AM
>> To: MailScanner discussion
>> Subject: Re: ClamAVModule::INFECTED::
>> Phishing.Heuristics.Email.SpoofedDomain
>>
>> As you are clearly trying to use a new feature ("Spam-Virus"es) that I
>> just introduced, I think you will find all your problems are solved
>> using the new "Spam-Virus" feature in 4.78.
>>
>> On 01/10/2009 23:26, donald.dawson at bakerbotts.com wrote:
>>
>>      
>>> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17
>>> version).  We installed clam via the MS tar ball.  Clam is our only
>>>        
> AV
>    
>>>
>>>        
>>
>>      
>>> and is called by MS via /usr/lib/MailScanner/clamav-wrapper.
>>>
>>> We have been getting FPs on some newsletters due to Phishing
>>> Heuristics in clam.  We also found that MS does not appear to use a
>>> clamd.conf or freshclam.conf file.  To get around the FP Phishing
>>> Heuristics problem, we modified the clamav-wrapper to turn off
>>> heuristic url scans (line 152 added in clamav-wrapper script):
>>>
>>> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no"
>>>
>>> I would rather not edit the delivered MS script.  Is there a clam
>>> config file used by MS?
>>>
>>> Where would I put the '--phishing-scan-urls=no' option?
>>>
>>> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs
>>> versus letting MS load clamscan for every email?
>>>
>>> ...from the tarball clam/SA install.sh script:
>>>
>>> echo 'There are 2 recommended ways of installing ClamAV, depending
>>>        
> on'
>    
>>> echo 'various factors.'
>>> echo 'If you want to use MailScanners support for Clamd
>>>
>>>        
>> (virus-scanning'
>>
>>      
>>> echo 'daemon) then I recommend you cancel this script now (press
>>>
>>>        
>> Ctrl-C)'
>>
>>      
>>> echo 'and install the RPMs for clamav, clamav-db and clamd from'
>>> echo ' _http://packages.sw.be/clamav/_'
>>> echo 'Then re-run this script and tell me that clamscan is installed
>>>
>>>        
>> in'
>>
>>      
>>> echo '/usr/bin. This will set up your virus.scanners.conf file for
>>>
>>>        
>> you.'
>>
>>      
>>> echo
>>> echo 'Otherwise you probably want me to install ClamAV now. So answer
>>>
>>>        
>> y.'
>>
>>      
>>> Jules - thank you for a great product!
>>>
>>> Donald Dawson
>>> Security Administrator
>>> Baker Botts L.L.P.
>>> One Shell Plaza
>>> 910 Louisiana
>>> Houston, TX 77002
>>> W: 713-229-2183
>>>
>>>
>>>        
>> Jules
>>
>> --------------
>>
>> Jules, would you also recommend installing the clamd rpm versus
>>      
> letting
>    
>> MS run clamscan?
>>
>> Thanks,
>> Donald
>>
>>      
> Jules
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list