Mailing List Archive

[clamav-users] Heuristics, only on or off?
In log find (snipped)

". . .infected by Heuristics.OLE2.ContainsMacros.VBA"

and

". . .infected by Heuristics.Phishing.Email.SpoofedDomain"

I love the first one but loathe the second one. Is there some secret sauce to
allow discriminating between them?

joe a




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
Hi there,

On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:

> In log find (snipped)

Full marks for reading your logs. :)

> ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
>
> and
>
> ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
>
> I love the first one but loathe the second one.

That's your prerogative, of course, but both are generic threat
descriptions which are applied to a number of potential threats.
I don't see why anyone would like one and dislike the other, but
then I don't get sentimental about the descriptions of signatures.

> Is there some secret sauce to allow discriminating between them?

I don't think I understand the question.

There are two distinct names for two different classes of threat.
What exactly are you looking for that isn't provided by the names?
Do you mean distinguishing between individual examples of the type
of threat? Perhaps you should be looking at your log verbosity, or
perhaps something which analyzes suspect data more thoroughly. Are
these logs the result of scanning filesystems, scanning mail, or...?

I see very few examples of this sort of thing, maybe that's because I
only use ClamAV to scan mail, and I drop large numbers of connections
before the client even says 'EHLO'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote:
> On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:
>
> > In log find (snipped)
>
> Full marks for reading your logs. :)
>
> > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
> >
> > and
> >
> > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
> >
> > I love the first one but loathe the second one.
>
> That's your prerogative, of course, but both are generic threat descriptions
> which are applied to a number of potential threats.
> I don't see why anyone would like one and dislike the other, but then I don't
> get sentimental about the descriptions of signatures.
>
> > Is there some secret sauce to allow discriminating between them?
>
> I don't think I understand the question.
>
> There are two distinct names for two different classes of threat.
> What exactly are you looking for that isn't provided by the names?
> Do you mean distinguishing between individual examples of the type of
> threat? Perhaps you should be looking at your log verbosity, or perhaps
> something which analyzes suspect data more thoroughly. Are these logs the
> result of scanning filesystems, scanning mail, or...?

Although these two (and possibly other Heuristics) are indeed reported
uniquely, in real cases, I get absolute false positives on the SpoofedDomain
for "legitimate" messages while I'd always want to stop the ContainsMacros
case. By "legitimate" here, I'm not saying that whatever heuristic is being
interpreted incorrectly, but merely that real email from legitimate senders
is being sent to users who expect to get that specific email.

Disabling all heuristics avoids all of these detections...

- Mark

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
> On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote:
>> On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:
>>
>> > In log find (snipped)
>>
>> Full marks for reading your logs. :)
>>
>> > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
>> >
>> > and
>> >
>> > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
>> >
>> > I love the first one but loathe the second one.
>>
>> That's your prerogative, of course, but both are generic threat descriptions
>> which are applied to a number of potential threats.
>> I don't see why anyone would like one and dislike the other, but then I
> don't
>> get sentimental about the descriptions of signatures.
>>
>> > Is there some secret sauce to allow discriminating between them?
>>
>> I don't think I understand the question.

I was not clear. Mark guessed correctly. See below

>> There are two distinct names for two different classes of threat.
>> What exactly are you looking for that isn't provided by the names?
>> Do you mean distinguishing between individual examples of the type of
>> threat? Perhaps you should be looking at your log verbosity, or perhaps
>> something which analyzes suspect data more thoroughly. Are these logs the
>> result of scanning filesystems, scanning mail, or...?
>
> Although these two (and possibly other Heuristics) are indeed reported
> uniquely, in real cases, I get absolute false positives on the SpoofedDomain

The "spoofed domain" is the one I would rather allow to pass through without
comment or quarantine as some are "legitmate". But the docs did warn
about "false posititves". Although pedantic types (who me?) might argue it
is not a "false positive" if it met the testing criteria.

> for "legitimate" messages while I'd always want to stop the ContainsMacros
> case. By "legitimate" here, I'm not saying that whatever heuristic is being
>
> interpreted incorrectly, but merely that real email from legitimate senders
> is being sent to users who expect to get that specific email.
>
> Disabling all heuristics avoids all of these detections...

That settles that, apparently. All or nothing.

joe a,
>> Mark
>



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
Sent from my iPad

> On Mar 23, 2021, at 18:29, Joe Acquisto-j4 <joea@j4computers.com> wrote:
>
> The "spoofed domain" is the one I would rather allow to pass through without
> comment or quarantine as some are "legitmate". But the docs did warn
> about "false posititves". Although pedantic types (who me?) might argue it
> is not a "false positive" if it met the testing criteria.

There is a whitelist capability (M & X records) that allow designated alternative domains to pass the heuristics tests, but my observation over several years now is that nobody seems to be maintaining those entries, resulting in the FP's observed. I can only guess that most users leave the option disabled resulting in whitelist maintenance not being a priority.

-Al-

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:

> In log find (snipped)
>
> ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
>
> and
>
> ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
>
> I love the first one but loathe the second one.
> Is there some secret sauce to
> allow discriminating between them?

If I remember correctly, I used to do this in my MTA - exim,
filtering in the ACL based on the text wjich you are logging.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
Hi there,

On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:
>> On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote:
>>> On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:
>>>
>>>> ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
>>>>
>>>> and
>>>>
>>>> ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
>>>>
>>>> I love the first one but loathe the second one.
>>>
>>> I don't think I understand the question.
>>>
>>> There are two distinct names for two different classes of threat.
>>> What exactly are you looking for that isn't provided by the names?
>>> Do you mean distinguishing between individual examples of the type of
>>> threat? Perhaps you should be looking at your log verbosity, or perhaps
>>> something which analyzes suspect data more thoroughly. Are these logs the
>>> result of scanning filesystems, scanning mail, or...?
>
> I was not clear. ...

Correct.

> The "spoofed domain" is the one I would rather allow to pass through without
> comment or quarantine as some are "legitmate". But the docs did warn
> about "false posititves". Although pedantic types (who me?) might argue it
> is not a "false positive" if it met the testing criteria.

So this is only when you're scanning mail?

> That settles that, apparently. All or nothing.

Not necessarily.

But it will help enormously if you will answer my questions.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics, only on or off? [ In reply to ]
Joe Acquisto-j4 wrote:
> In log find (snipped)
>
> ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"

This is enabled by the AlertOLE2Macros directive in clamd.conf

> ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"

This is enabled by the PhishingScanURLs directive in clamd.conf.

> I love the first one but loathe the second one. Is there some secret sauce to
> allow discriminating between them?

Read the man page for clamd.conf. You may have to do some testing in a
sandbox with some sample emails to determine exactly which combination
of these and several apparently related settings you want enabled.

On the systems I maintain, I found that PhishingScanURLs suffered from
too many false positives (albeit mostly on mail from senders that should
really know better - I'm looking at you, major financial institutions),
so I disabled it for hard pass/fail scanning. I set up a secondary
clamd instance with these and a number of other potentially FP-prone
options as well as a collection of variously potentially risky third
party and local signatures, but without the stock signatures. This
second instance is called from SpamAssassin for scoring instead of hard
pass/fail.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml