<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7653.38">
<TITLE>ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 version). We installed clam via the MS tar ball. Clam is our only AV and is called by MS via /usr/lib/MailScanner/clamav-wrapper.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">We have been getting FPs on some newsletters due to Phishing Heuristics in clam. We also found that MS does not appear to use a clamd.conf or freshclam.conf file. To get around the FP Phishing Heuristics problem, we modified the clamav-wrapper to turn off heuristic url scans (line 152 added in clamav-wrapper script):</FONT></P>
<P><FONT SIZE=2 FACE="Arial">ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no"</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I would rather not edit the delivered MS script. Is there a clam config file used by MS? </FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Where would I put the '--phishing-scan-urls=no' option? </FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Lastly, is it preferable to install clamav, clamav-db and clamd RPMs versus letting MS load clamscan for every email?</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">...from the tarball clam/SA install.sh script:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">echo 'There are 2 recommended ways of installing ClamAV, depending on'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo 'various factors.'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo 'If you want to use MailScanners support for Clamd (virus-scanning'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo 'and install the RPMs for clamav, clamav-db and clamd from'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo ' </FONT><A HREF="http://packages.sw.be/clamav/"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://packages.sw.be/clamav/</FONT></U></A><FONT SIZE=2 FACE="Arial">'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo 'Then re-run this script and tell me that clamscan is installed in'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo '/usr/bin. This will set up your virus.scanners.conf file for you.'</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo</FONT>
<BR><FONT SIZE=2 FACE="Arial">echo 'Otherwise you probably want me to install ClamAV now. So answer y.'</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Jules - thank you for a great product! </FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Donald Dawson</FONT>
<BR><FONT SIZE=2 FACE="Arial">Security Administrator</FONT>
<BR><FONT SIZE=2 FACE="Arial">Baker Botts L.L.P.</FONT>
<BR><FONT SIZE=1 FACE="Arial">One Shell Plaza</FONT>
<BR><FONT SIZE=1 FACE="Arial">910 Louisiana</FONT>
<BR><FONT SIZE=1 FACE="Arial">Houston, TX 77002</FONT>
<BR><FONT SIZE=1 FACE="Arial">W: 713-229-2183</FONT>
</P>
</BODY>
</HTML>