Mailing List Archive

[clamav-users] ClamAV is not respecting Phishing* settings.
ClamAV is not respecting Phishing* settings.

clamd.conf:
...
PhishingSignatures false
PhishingScanURLs false


Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
infected with Email.Phishing.VOF1-6326576-0;
from=<Kristina.Sjostrom@walleniusmarine.com> to=<domain@domainmail.net>
proto=ESMTP helo=<walleniusmarine.com>

Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo@dhl.com>
to=<domain@domainmail.net> proto=ESMTP helo=<bizcloud-
server.squaregroup.com>


v0.103.3+dfsg-0+deb11u1


-Jim P.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV is not respecting Phishing* settings. [ In reply to ]
I am sure someone will respond about your particular issue, but are you saying they are false positives?


Sent from my ? iPhone

> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?ClamAV is not respecting Phishing* settings.
>
> clamd.conf:
> ...
> PhishingSignatures false
> PhishingScanURLs false
>
>
> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
> infected with Email.Phishing.VOF1-6326576-0;
> from=<Kristina.Sjostrom@walleniusmarine.com> to=<domain@domainmail.net>
> proto=ESMTP helo=<walleniusmarine.com>
>
> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
> infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo@dhl.com>
> to=<domain@domainmail.net> proto=ESMTP helo=<bizcloud-
> server.squaregroup.com>
>
>
> v0.103.3+dfsg-0+deb11u1
>
>
> -Jim P.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV is not respecting Phishing* settings. [ In reply to ]
On September 23, 2021 3:29:02 AM UTC, "Joel Esler (jesler)" <jesler@cisco.com> wrote:
>I am sure someone will respond about your particular issue, but are you saying they are false positives?
>
>—
>Sent from my ? iPhone
>
>> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> ?ClamAV is not respecting Phishing* settings.
>>
>> clamd.conf:
>> ...
>> PhishingSignatures false
>> PhishingScanURLs false
>>
>>
>> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
>> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
>> infected with Email.Phishing.VOF1-6326576-0;
>> from=<Kristina.Sjostrom@walleniusmarine.com> to=<domain@domainmail.net>
>> proto=ESMTP helo=<walleniusmarine.com>
>>
>> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
>> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
>> infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo@dhl.com>
>> to=<domain@domainmail.net> proto=ESMTP helo=<bizcloud-
>> server.squaregroup.com>
>>
>>
>> v0.103.3+dfsg-0+deb11u1
>>
>>
>> -Jim P.
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml

I'm saying I don't want ClamAV to do anything other than scan for viruses,. I have followed the ClamAV documentation and yet ClamAV is doing something it is configured not to do. What other things is ClamAV doing then?

-Jim P.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV is not respecting Phishing* settings. [ In reply to ]
Hi there,

On Thu, 23 Sep 2021, Jim Popovitch via clamav-users wrote:
> On September 23, 2021 3:29:02 AM UTC, "Joel Esler (jesler)" <jesler@cisco.com> wrote:
>> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>
>>> ?ClamAV is not respecting Phishing* settings.
>>>
>>> clamd.conf:
>>> ...
>>> PhishingSignatures false
>>> PhishingScanURLs false
>>>
>>>
>>> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
>>> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
>>> infected with Email.Phishing.VOF1-6326576-0;
>>> from=<Kristina.Sjostrom@walleniusmarine.com> to=<domain@domainmail.net>
>>> proto=ESMTP helo=<walleniusmarine.com>
>>>
>>> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
>>> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
>>> infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo@dhl.com>
>>> to=<domain@domainmail.net> proto=ESMTP helo=<bizcloud-
>>> server.squaregroup.com>
>>
>> I am sure someone will respond about your particular issue, but are
>> you saying they are false positives?
>
> I'm saying I don't want ClamAV to do anything other than scan for
> viruses,. I have followed the ClamAV documentation and yet ClamAV is
> doing something it is configured not to do. What other things is
> ClamAV doing then?

You misunderstand what ClamAV does. In its assorted databases there
are millions of signatures from multiple parties. A signature has a
name and a pattern. ClamAV is incapable of understanding the names,
and if a party decides to call a signature "Some.Phishing.Signature",
then if the pattern in the signature matches, that's what ClamAV will
tell you was "FOUND". But it does not know anything about the name,
and it does not filter its output based on the name. There are many,
many signatures which are not strictly speaking "viruses". Short of
removing them from the database yourself, you have no way to prevent
them from being used.

In addition to the database signatures there are 'heuristics' coded in
the ClamAV libraries. See for example libclamav/phishcheck.c (or grep
all the files in the libclamav directory for 'Heuristics'). This kind
of detection does not use signatures, but looks for things in the data
which are considered suspicious. Examples include: HTTP anchors where
the display text in the anchor is very different from the link itself;
the text displayed is https and the anchor is not; hostnames differ;
embedded numeric IP addresses. This kind of thing can be difficult to
detect using signatures, which is why there is a chunk of code called
phishcheck.c, and it's things in this code which are disabled by your
configuration options - not signatures named in any particular way.

Why do you not want ClamAV to alert you to (what appear to me to be)
obvious scam emails? Is it because some are false positives?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV is not respecting Phishing* settings. [ In reply to ]
On Thu, 2021-09-23 at 09:28 +0100, G.W. Haywood via clamav-users wrote:
>
> Why do you not want ClamAV to alert you to (what appear to me to be)
> obvious scam emails?

Because I have chosen to disable the Phishing* checks, per the ClamAV
documentation, and apparently that isn't happening. I understand
(immensely) why you or others should/would/could want the Phishing*
checks to be automatically enabled for you, but I have made a decision
to turn those off in this case, and ClamAV is not respecting that.

-Jim P.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV is not respecting Phishing* settings. [ In reply to ]
To further Ged's point, these signatures that are hitting are extended
logical signatures. Phishing signatures have a very specific format that
are either solely looking at hostnames, host prefixes, link destinations
and alternate text, and displayed hostnames (
https://docs.clamav.net/manual/Signatures/PhishSigs.html). When you are
turning off PhishingSignatures and PhishingScanURLs, those are the
signatures you are disabling. The two signatures that you've highlighted
are detecting executables inside of containers (Zip or MS documents).

You can see what the signatures are looking for using sigtool:

sigtool --find-sigs Email.Phishing.VOF1-6326576-0 | awk '{ print $2 }' |
sigtool --decode-sigs

sigtool --find-sigs Email.Phishing.VOF1-6295631-2 | awk '{ print $2 }' |
sigtool --decode-sigs


In the first case, it's looking for a PK header at the beginning of a mail
'container' (message, attachment, etc) and then 2 or 3 capital letters, a
non-word character or underscore, and then 5 to 7 numbers followed by the
extension .exe.

In the second, it's looking for a PK or MZ header in a mail container and
then a word boundary (non word character or end of file), followed by
either FedEx, DHL, USPS, or UPS, then zero to 100 characters and then a
.exe extension.

Since these are signatures detecting executables in mail, I personally
think the 'Phishing' is inaccurate and would probably have used a different
category, but Phishing is what they are called and that it likely the
source of the confusion.

I hope this helps...
--Maarten

Signature details:
VIRUS NAME: Email.Phishing.VOF1-6326576-0
TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
LOGICAL EXPRESSION: 1
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
PK
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: 0
+-> REGEX: [A-Z]{2,3}[\W_][0-9]{5,7}\.exe
+-> CFLAGS: (null)

VIRUS NAME: Email.Phishing.VOF1-6295631-2
TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
LOGICAL EXPRESSION: 2
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
PK
* SUBSIG ID 1
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
MZ
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: 0|1
+-> REGEX: \b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js)
+-> CFLAGS: (null)


On Thu, Sep 23, 2021 at 4:29 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 23 Sep 2021, Jim Popovitch via clamav-users wrote:
> > On September 23, 2021 3:29:02 AM UTC, "Joel Esler (jesler)" <
> jesler@cisco.com> wrote:
> >> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users <
> clamav-users@lists.clamav.net> wrote:
> >>>
> >>> ?ClamAV is not respecting Phishing* settings.
> >>>
> >>> clamd.conf:
> >>> ...
> >>> PhishingSignatures false
> >>> PhishingScanURLs false
> >>>
> >>>
> >>> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
> >>> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
> >>> infected with Email.Phishing.VOF1-6326576-0;
> >>> from=<Kristina.Sjostrom@walleniusmarine.com> to=<domain@domainmail.net
> >
> >>> proto=ESMTP helo=<walleniusmarine.com>
> >>>
> >>> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
> >>> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
> >>> infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo@dhl.com>
> >>> to=<domain@domainmail.net> proto=ESMTP helo=<bizcloud-
> >>> server.squaregroup.com>
> >>
> >> I am sure someone will respond about your particular issue, but are
> >> you saying they are false positives?
> >
> > I'm saying I don't want ClamAV to do anything other than scan for
> > viruses,. I have followed the ClamAV documentation and yet ClamAV is
> > doing something it is configured not to do. What other things is
> > ClamAV doing then?
>
> You misunderstand what ClamAV does. In its assorted databases there
> are millions of signatures from multiple parties. A signature has a
> name and a pattern. ClamAV is incapable of understanding the names,
> and if a party decides to call a signature "Some.Phishing.Signature",
> then if the pattern in the signature matches, that's what ClamAV will
> tell you was "FOUND". But it does not know anything about the name,
> and it does not filter its output based on the name. There are many,
> many signatures which are not strictly speaking "viruses". Short of
> removing them from the database yourself, you have no way to prevent
> them from being used.
>
> In addition to the database signatures there are 'heuristics' coded in
> the ClamAV libraries. See for example libclamav/phishcheck.c (or grep
> all the files in the libclamav directory for 'Heuristics'). This kind
> of detection does not use signatures, but looks for things in the data
> which are considered suspicious. Examples include: HTTP anchors where
> the display text in the anchor is very different from the link itself;
> the text displayed is https and the anchor is not; hostnames differ;
> embedded numeric IP addresses. This kind of thing can be difficult to
> detect using signatures, which is why there is a chunk of code called
> phishcheck.c, and it's things in this code which are disabled by your
> configuration options - not signatures named in any particular way.
>
> Why do you not want ClamAV to alert you to (what appear to me to be)
> obvious scam emails? Is it because some are false positives?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] ClamAV is not respecting Phishing* settings. [ In reply to ]
On Thu, 2021-09-23 at 07:36 -0400, Maarten Broekman via clamav-users
wrote:
> To further Ged's point, these signatures that are hitting are extended
> logical signatures. Phishing signatures have a very specific format
> that are either solely looking at hostnames, host prefixes, link
> destinations and alternate text, and displayed hostnames
> (https://docs.clamav.net/manual/Signatures/PhishSigs.html). When you
> are turning off PhishingSignatures and PhishingScanURLs, those are the
> signatures you are disabling. The two signatures that you've
> highlighted are detecting executables inside of containers (Zip or MS
> documents).
>
> You can see what the signatures are looking for using sigtool:
> > sigtool --find-sigs Email.Phishing.VOF1-6326576-0 | awk '{ print $2
> > }' | sigtool --decode-sigs
> >
> > sigtool --find-sigs Email.Phishing.VOF1-6295631-2 | awk '{ print $2
> > }' | sigtool --decode-sigs
>
>
> In the first case, it's looking for a PK header at the beginning of a
> mail 'container' (message, attachment, etc) and then 2 or 3 capital
> letters, a non-word character or underscore, and then 5 to 7 numbers
> followed by the extension .exe.
>
> In the second, it's looking for a PK or MZ header in a mail container
> and then a word boundary (non word character or end of file), followed
> by either FedEx, DHL, USPS, or UPS, then zero to 100 characters and
> then a .exe extension.
>
> Since these are signatures detecting executables in mail, I personally
> think the 'Phishing' is inaccurate and would probably have used a
> different category, but Phishing is what they are called and that it
> likely the source of the confusion.
>
> I hope this helps...
> --Maarten
>
> Signature details:
> VIRUS NAME: Email.Phishing.VOF1-6326576-0
> TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
> LOGICAL EXPRESSION: 1
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> PK
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>      +-> TRIGGER: 0
>      +-> REGEX: [A-Z]{2,3}[\W_][0-9]{5,7}\.exe
>      +-> CFLAGS: (null)
>
> VIRUS NAME: Email.Phishing.VOF1-6295631-2
> TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
> LOGICAL EXPRESSION: 2
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> PK
>  * SUBSIG ID 1
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> MZ
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>      +-> TRIGGER: 0|1
>      +-> REGEX: \b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js)
>      +-> CFLAGS: (null)
>

Maarten, Thank you very much! What you have provided helps me
understand this better. I agree with the Sig name being a bit confusing.
:)

I humbly withdraw my claim that ClamAV is not respecting my settings.

Thanks Ged, Maarten

-Jim P. (K4VQC)



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml