Mailing List Archive

For now I have done that and it work !

echo "M:can01.safelinks.protection.outlook.com<http://can01.safelinks.protection.outlook.com>:www.desjardins.com<http://www.desjardins.com>" >> /var/lib/clamav/local.wdb
systemctl restart clamd

But it will be great if Desjardins rules are on the up-to-date definition like for some other bank



Mathieu Morier,
Administrateur Internet / Network Administrator


Ce message est confidentiel et destiné uniquement aux destinataires dûment nommés. Il peut contenir de l'information couverte par le secret professionnel. Il est strictement défendu à toute personne qui n'est pas un destinataire dûment nommé de diffuser ce message ou d'en faire une copie. Si vous n'êtes pas un destinataire dûment nommé ou un employé ou mandataire chargé de livrer ce message à un destinataire dûment nommé, veuillez nous aviser sans tarder et supprimer ce message ainsi que toute copie qui peut en avoir été faite.

This message is confidential and intended only for the named recipients. It may contain information that is privileged. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have.


Le 13 juin 2022 à 16:25, Mathieu Morier via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> a écrit :

Hi,

Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change to https://can01.safelinks.protection.outlook.com<https://can01.safelinks.protection.outlook.com/> with a long string.

So all the links to desjardins.com<http://desjardins.com/> and now rbc.com<http://rbc.com/> hit the Heuristics.Phishing.Email.SpoofedDomain .

Can this rule be changed to allow the real domain of the bank + *.safelinks.protection.outlook.com<http://safelinks.protection.outlook.com/> ?

Then will have to trust Microsoft that Outlook.com<http://outlook.com/> user will not be able to pass fake bank websites by their service ?

Thanks,


Mathieu Morier,
Administrateur Internet / Network Administrator
mathieu.morier@sogetel.com<mailto:mathieu.morier@sogetel.com>


Ce message est confidentiel et destiné uniquement aux destinataires dûment nommés. Il peut contenir de l'information couverte par le secret professionnel. Il est strictement défendu à toute personne qui n'est pas un destinataire dûment nommé de diffuser ce message ou d'en faire une copie. Si vous n'êtes pas un destinataire dûment nommé ou un employé ou mandataire chargé de livrer ce message à un destinataire dûment nommé, veuillez nous aviser sans tarder et supprimer ce message ainsi que toute copie qui peut en avoir été faite.

This message is confidential and intended only for the named recipients. It may contain information that is privileged. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote:

> Look like many Canadian Banks are switching their corporate email to
> Office 365 ( Microsoft cloud ) and all the links in their email are
> then automatically change ...

Don't get me started.

> ... links to ... hit the Heuristics.Phishing.Email.SpoofedDomain .
> ... Can this rule be changed ...

Speaking personally, I don't want it to be changed but you could for
example add an 'ignore' rule:

https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=ignore#signature-ignore-lists

> Then will have to trust Microsoft ...

... currently the second worst spam support provider in the world, and
rarely out of the top five:

https://www.spamhaus.org/statistics/networks/

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working.

For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow.


echo "M:can01.safelinks.protection.outlook.com<http://can01.safelinks.protection.outlook.com>:www.desjardins.com<http://www.desjardins.com>" >> /var/lib/clamav/local.wdb
systemctl restart clamd


Too many people including banks putting all their confidence in big cloud service.




Mathieu Morier,
Administrateur Internet / Network Administrator

Ce message est confidentiel et destiné uniquement aux destinataires dûment nommés. Il peut contenir de l'information couverte par le secret professionnel. Il est strictement défendu à toute personne qui n'est pas un destinataire dûment nommé de diffuser ce message ou d'en faire une copie. Si vous n'êtes pas un destinataire dûment nommé ou un employé ou mandataire chargé de livrer ce message à un destinataire dûment nommé, veuillez nous aviser sans tarder et supprimer ce message ainsi que toute copie qui peut en avoir été faite.

This message is confidential and intended only for the named recipients. It may contain information that is privileged. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have.


Le 13 juin 2022 à 17:59, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> a écrit :

Hi there,

On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote:

Look like many Canadian Banks are switching their corporate email to
Office 365 ( Microsoft cloud ) and all the links in their email are
then automatically change ...

Don't get me started.

... links to ... hit the Heuristics.Phishing.Email.SpoofedDomain .
... Can this rule be changed ...

Speaking personally, I don't want it to be changed but you could for
example add an 'ignore' rule:

https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=ignore#signature-ignore-lists

Then will have to trust Microsoft ...

... currently the second worst spam support provider in the world, and
rarely out of the top five:

https://www.spamhaus.org/statistics/networks/

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote:
> Yea for now I just created the line as peer the doc (
> https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
> <https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format> )
> and it’s working.
>
> For Heuristics.Phishing.Email.SpoofedDomain it’s not an «  ignore list »
> bit an «  allow list of real URL and display URL that you want to allow.
>
>
> echo "M:can01.safelinks.protection.outlook.com
> <http://can01.safelinks.protection.outlook.com>:www.desjardins.com
> <http://www.desjardins.com>" >> /var/lib/clamav/local.wdb
> systemctl restart clamd
>
>

To semi-hijack, I was attempting to deal with my own occasional false
positive by using this thread as a clue.

Attempting to follow the docs, I hit a wall here:

"To help you identify what triggered a heuristic phishing alert,
clamscan or clamd will print a message indicating the "Display URL" and
"Real URL" involved in a heuristic phishing alert. "

I did not find such an entry in any of the "usual suspect" logs, so
wondering if that means I must somehow submit the offending email for a
manual scan, or if I simply do not know where to look?

Thanks for any assistance.

joe a.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

joe a wrote:
> To semi-hijack, I was attempting to deal with my own occasional false
> positive by using this thread as a clue.
>
> Attempting to follow the docs, I hit a wall here:
>
> "To help you identify what triggered a heuristic phishing alert,
> clamscan or clamd will print a message indicating the "Display URL" and
> "Real URL" involved in a heuristic phishing alert. "
>
> I did not find such an entry in any of the "usual suspect" logs, so
> wondering if that means I must somehow submit the offending email for a
> manual scan, or if I simply do not know where to look?

It's only in the debug output. While I was still chasing this I just
ran clamscan --debug after the fact on the FP sample to extract the
relevant URL bits, although it was still sometimes a bit of effort to
then find the right .wdb entry to actually whitelist the match when scanned.

Some time ago I gave up on using this test in a hard pass/fail context,
largely because of exactly the class of problem reported in this thread.
Instead I have it enabled in a clamd instance that's called by a
filter processing component with enough smarts to balance a hit on this
test with other criteria.

-kgd
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Wed, 15 Jun 2022, joe a wrote:

> To semi-hijack, I was attempting to deal with my own occasional false
> positive by using this thread as a clue.
>
> Attempting to follow the docs, I hit a wall here:
>
> "To help you identify what triggered a heuristic phishing alert, clamscan or
> clamd will print a message indicating the "Display URL" and "Real URL"
> involved in a heuristic phishing alert. "
>
> I did not find such an entry in any of the "usual suspect" logs ...

You might have more luck if you use verbose options. Some logic in

libclamav/phishcheck.c

is a bit convoluted and it looks like under some circumstances there
might be reasons for not flagging a potential phish, and not logging
certain warnings. I haven't gone over it with a magnifying glass but
there are definitely more informative debug messages available to you.

If you'd like to put a couple of samples up somewhere I could take a
look at them for you.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 15 Jun 2022, joe a wrote:
>
>> To semi-hijack, I was attempting to deal with my own occasional false
>> positive by using this thread as a clue.
>>
>> Attempting to follow the docs, I hit a wall here:
>>
>> "To help you identify what triggered a heuristic phishing alert,
>> clamscan or clamd will print a message indicating the "Display URL"
>> and "Real URL" involved in a heuristic phishing alert. "
>>
>> I did not find such an entry in any of the "usual suspect" logs ...
>


Thanks gents.

After a (good) bit of messing about, found this (names obfuscated):

****************
LibClamAV info: Real URL: https://l.infoxx.domain.com
LibClamAV info: Display URL: anotherdomain.com
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different

****************

I presume that is what needs to be added to the (a ?) WDB file, but, I
find no WDB files anywhere on my system.

Clearly, I am beyond my current knowledge.

joe a.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format

There are examples of the wdb format a bit lower on the page. Essentially,
you would create a file "good_urls.wdb" in the same directory as the
existing ClamAV database files and put in an appropriate line to handle the
domains that you want to be safe.

--Maarten

On Wed, Jun 15, 2022 at 4:48 PM joe a <joea-lists@j4computers.com> wrote:

> On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote:
> > Hi there,
> >
> > On Wed, 15 Jun 2022, joe a wrote:
> >
> >> To semi-hijack, I was attempting to deal with my own occasional false
> >> positive by using this thread as a clue.
> >>
> >> Attempting to follow the docs, I hit a wall here:
> >>
> >> "To help you identify what triggered a heuristic phishing alert,
> >> clamscan or clamd will print a message indicating the "Display URL"
> >> and "Real URL" involved in a heuristic phishing alert. "
> >>
> >> I did not find such an entry in any of the "usual suspect" logs ...
> >
>
>
> Thanks gents.
>
> After a (good) bit of messing about, found this (names obfuscated):
>
> ****************
> LibClamAV info: Real URL: https://l.infoxx.domain.com
> LibClamAV info: Display URL: anotherdomain.com
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
> different
>
> ****************
>
> I presume that is what needs to be added to the (a ?) WDB file, but, I
> find no WDB files anywhere on my system.
>
> Clearly, I am beyond my current knowledge.
>
> joe a.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>

On 6/15/2022 4:51 PM, Maarten Broekman via clamav-users wrote:
> https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
> <https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format>
>
> There are examples of the wdb format a bit lower on the page.
> Essentially, you would create a file "good_urls.wdb" in the same
> directory as the existing ClamAV database files and put in an
> appropriate line to handle the domains that you want to be safe.
>
> --Maarten
>

Thanks. I felt confounded by the docs at first, but realized,
eventually, that only the X: parameter was required in my case.

Now the sample email scans without a problem. Thanks for all the
suggestions.

joe a.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat