Mailing List Archive

Hi there,

On Thu, 11 Aug 2022, joe a wrote:

> A while back discussed excluding some URL's from triggering the heueristics
> scan. Seemed to work. Postfix, spamassassin, clamav in use.
>
> Now seems some addtional URL's are involved. Perhaps I am doing something
> wrong here.
>
> Been determining (?) the offending URL's by examining the entire email using:
>
> clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt
>
> then looking for offenders using:
>
> grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt
>
> entering the URL seen in "Real URL: http://some.url" into
> "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart
> clamd.service)
>
> I would presume re-scanning as above should no longer flag the offending
> URL(s)?

You presume a lot. The documentation seems to say otherwise:

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 8/11/2022 1:17 PM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 11 Aug 2022, joe a wrote:
>
>> A while back discussed excluding some URL's from triggering the
>> heueristics scan.   Seemed to work.  Postfix, spamassassin, clamav in
>> use.
>>
>> Now seems some addtional URL's are involved. Perhaps I am doing
>> something wrong here.
>>
>> Been determining (?) the offending URL's by examining the entire email
>> using:
>>
>> clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt
>>
>> then looking for offenders using:
>>
>> grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt
>>
>> entering the URL seen in "Real URL:  http://some.url" into
>> "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart
>> clamd.service)
>>
>> I would presume re-scanning as above should no longer flag the
>> offending URL(s)?
>
> You presume a lot.  The documentation seems to say otherwise:
>
> https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
>

Well!.

Thanks for the direct links. The content appears a bit different than
I recall, when attempting to decipher it some months back.

Might even prove enjoyable wading through it, were I an S&M enthusiast.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 8/11/2022 2:02 PM, joe a wrote:
> On 8/11/2022 1:17 PM, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Thu, 11 Aug 2022, joe a wrote:
>>
>>> A while back discussed excluding some URL's from triggering the
>>> heueristics scan.   Seemed to work.  Postfix, spamassassin, clamav in
>>> use.
>>>
>>> Now seems some addtional URL's are involved. Perhaps I am doing
>>> something wrong here.
>>>
>>> Been determining (?) the offending URL's by examining the entire
>>> email using:
>>>
>>> clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt
>>>
>>> then looking for offenders using:
>>>
>>> grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt
>>>
>>> entering the URL seen in "Real URL:  http://some.url" into
>>> "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl
>>> restart clamd.service)
>>>
>>> I would presume re-scanning as above should no longer flag the
>>> offending URL(s)?
>>
>> You presume a lot.  The documentation seems to say otherwise:
>>
>> https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
>>
>
> Well!.
>
> Thanks for the direct links.   The content appears a bit different than
> I recall, when attempting to decipher it some months back.
>
> Might even prove enjoyable wading through it, were I an S&M enthusiast.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

I do not understand why, when entering more than one URL, the first line
in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able
to match when entered "in plain text", while subsequent lines seem to
want actual "regex" notation (escaped "."), with only the domains entered.

At least that is what it seems takes to "run clean" when re-scanned in
debug mode.

To add do the above, I found a few recent emails containing the URLs in
the first entry, mentioned above, that were flagged. Those emails
passed without notice when scanned as above. I removed that first
entry, scanned again and the email were flagged. I then entered those
URL's again, as the first line, this time in regex notation ("."
escaped, no "http or https"), scanned again, and it was not flagged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Thu, 11 Aug 2022, joe a wrote:

> I do not understand why, when entering more than one URL, the first line in
> my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match
> when entered "in plain text", while subsequent lines seem to want actual
> "regex" notation (escaped "."), with only the domains entered.
>
> At least that is what it seems takes to "run clean" when re-scanned in debug
> mode.
>
> To add do the above, I found a few recent emails containing the URLs in the
> first entry, mentioned above, that were flagged. Those emails passed without
> notice when scanned as above. I removed that first entry, scanned again and
> the email were flagged. I then entered those URL's again, as the first line,
> this time in regex notation ("." escaped, no "http or https"), scanned again,
> and it was not flagged.

Post your .wdb file here?

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 11 Aug 2022, joe a wrote:
>
>> I do not understand why, when entering more than one URL, the first
>> line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be
>> able to match when entered "in plain text", while subsequent lines
>> seem to want actual "regex" notation (escaped "."), with only the
>> domains entered.
>>
>> At least that is what it seems takes to "run clean" when re-scanned in
>> debug mode.
>>
>> To add do the above, I found a few recent emails containing the URLs
>> in the first entry, mentioned above, that were flagged.  Those emails
>> passed without notice when scanned as above.  I removed that first
>> entry, scanned again and the email were flagged.  I then entered those
>> URL's again, as the first line, this time in regex notation ("."
>> escaped, no "http or https"), scanned again, and it was not flagged.
>
> Post your .wdb file here?
>

In the "old days" I would not hesitate, but in the current age, I do,
simply because it is essentially "public".

Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
Or posted to some less public place?


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 8/11/2022 7:10 PM, joe a wrote:
> On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Thu, 11 Aug 2022, joe a wrote:
>>
>>> I do not understand why, when entering more than one URL, the first
>>> line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to
>>> be able to match when entered "in plain text", while subsequent lines
>>> seem to want actual "regex" notation (escaped "."), with only the
>>> domains entered.
>>>
>>> At least that is what it seems takes to "run clean" when re-scanned
>>> in debug mode.
>>>
>>> To add do the above, I found a few recent emails containing the URLs
>>> in the first entry, mentioned above, that were flagged.  Those emails
>>> passed without notice when scanned as above.  I removed that first
>>> entry, scanned again and the email were flagged.  I then entered
>>> those URL's again, as the first line, this time in regex notation
>>> ("." escaped, no "http or https"), scanned again, and it was not
>>> flagged.
>>
>> Post your .wdb file here?
>>
>
> In the "old days" I would not hesitate, but in the current age, I do,
> simply because it is essentially "public".
>
> Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
> Or posted to some less public place?
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Having take the (rhetorical) purple pill . . . and written and though
better of several rambling and vacuous screeds . . . I post the contents
of an obfuscated "/my/install/location/gud-uns.wdb". Please hold the
cheers and applause, I won't hear them anyway.

X:l\.data99\.bingo\.com:bingobank\.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com

The above appears to work for scanning with clamd or clamscan (in debug
mode).

X:http://data99.bingo.com:http://bingobank.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com

The above appears to work scanning with clamscan, but, formatting the
last three lines as the first line, fails to pass those three.

In any case, I am OK with it working with formatting as the first
example, but the oddity of the second cited example, an outgrowth of my
first foray into this, kind of stumbled me.

Is it known behavior? An anomaly of my formatting? A bug?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi there,

On Thu, 11 Aug 2022, joe a wrote:

> [...] I post the contents of an obfuscated "[...]gud-uns.wdb".
> [...]
> Is it known behavior? An anomaly of my formatting? A bug?

I have no idea. I don't have time to mess about with obfuscated information.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 8/12/2022 4:28 AM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 11 Aug 2022, joe a wrote:
>
>> [...] I post the contents of an obfuscated "[...]gud-uns.wdb".
>> [...]
>> Is it known behavior? An anomaly of my formatting?  A bug?
>
> I have no idea.  I don't have time to mess about with obfuscated
> information.
>

What's the difference?

All that has been done is letters in the actual URL's were replaced with
other letters. I don't think regex cares as long as they are "not
special" to regex.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 8/12/2022 8:48 AM, joe a wrote:
> On 8/12/2022 4:28 AM, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Thu, 11 Aug 2022, joe a wrote:
>>
>>> [...] I post the contents of an obfuscated "[...]gud-uns.wdb".
>>> [...]
>>> Is it known behavior? An anomaly of my formatting?  A bug?
>>
>> I have no idea.  I don't have time to mess about with obfuscated
>> information.
>>
>
> What's the difference?
>
> All that has been done is letters in the actual URL's were replaced with
> other letters.   I don't think regex cares as long as they are "not
> special" to regex.
>
>

I am certainly not trying to be difficult or simply obstinate, I simply
do not understand the issue with obfuscation.

Perhaps your concern is related to the non obfuscated URLs being
required to match an existing "bad" URL and cause some
trigger/interaction with clamd or clamscan in some way that is not
obvious to someone at my level of knowledge?

If so, I would be happy to provide the non obfuscated version off list
or in some other way, as previously indicated.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat