Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
Fwd: exception rule - help needed
clamav-users at lists
Jan 4, 2023, 7:48 AM
Post #1 of 2 (101 views)
Permalink
no one can help me?


Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
Gesendet / Sent: Dienstag, Januar 03, 2023 um 20:03 (at 08:03 PM) +0100
Betreff / Subject: [clamav-users] exception rule - help needed
Hi @ all and happy new year!

I need help to create an exception rule for my Bank e-mails.

Currently, I have a "whitelist.wbd" file in the lib folder of clamav, but all of my rules seems not work.
Please help me to get the expected result, and it is generally no way for me, to disable this checks for all.

> # LibClamAV info: Suspicious link found!
> # LibClamAV info:   Real URL:    https://www.facebook.com
> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
> # LibClamAV info: Suspicious link found!
> # LibClamAV info:   Real URL:    https://twitter.com
> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
> # LibClamAV info: Suspicious link found!
> # LibClamAV info:   Real URL:    https://www.instagram.com
> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
> # LibClamAV info: Suspicious link found!
> # LibClamAV info:   Real URL:    https://www.youtube.com
> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
> # LibClamAV info: Suspicious link found!
> # LibClamAV info:   Real URL:    https://play.google.com
> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
> # LibClamAV info: Suspicious link found!
> # LibClamAV info:   Real URL:    https://apps.apple.com
> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
> #
> X:(http:\/\/|https:\/\/)(.+)(facebook|twitter|instagram|youtube|play\.google|apps\.apple)(.+):(http:\/\/|https:\/\/)(.+)(sparkasse|sls\-direkt)\.de([\/?].*)?:20-
> M:facebook.com:mailing.sparkasse.de
> M:https://twitter.com:mailing.sparkasse.de
> M:instagram.com:mailing.sparkasse.de
> M:youtube.com:mailing.sparkasse.de
> M:play.google.com:mailing.sparkasse.de
> M:apps.apple.com:mailing.sparkasse.de

kind regards,
Marc
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Fwd: exception rule - help needed [ In reply to ]
kdeugau at vianet
Jan 4, 2023, 12:13 PM
Post #2 of 2 (101 views)
Permalink
newcomer01 via clamav-users wrote:
> no one can help me?

I think most of us have just about given up on this test, and are either
doing without or call ClamAV in a way that allows us to handle FP-prone
tests like this differently from other results (either by whitelisting
mail ahead of ClamAV and avoiding calling it in the first place, or by
pushing it out so that the ClamAV result is scored or weighted).

I got tired of trying to find working entries for the .wdb file myself,
and rearranged parts of the mail setup to allow this test to just feed
SpamAssassin instead of being a hard pass-fail.

What would really help is if organizations that should really know
better would quit *sending* these dodgy links in the first place, but
that seems to be a lost cause.


> I need help to create an exception rule for my Bank e-mails.
>
> Currently, I have a "whitelist.wbd" file in the lib folder of clamav,
> but all of my rules seems not work.
> Please help me to get the expected result, and it is generally no way
> for me, to disable this checks for all.
>

>> M:facebook.com:mailing.sparkasse.de
>> M:https://twitter.com:mailing.sparkasse.de
>> M:instagram.com:mailing.sparkasse.de
>> M:youtube.com:mailing.sparkasse.de
>> M:play.google.com:mailing.sparkasse.de
>> M:apps.apple.com:mailing.sparkasse.de

It's been a while since I dug into this, but at a wild guess, try
putting these in the other order, ie:

M:mailing.sparkasse.de:facebook.com

and so on.

I was never able to predictably copy-paste anything out of the libclamav
debug output to whitelist a URI pair, I just tried combinations until
something worked - with no guarantee that using the same pieces the same
way would work on the next one, which is why I gave up and just use it
in a scored configuration. If you search the list archives I think I've
posted more details before.

-kgd
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal