Mailing List Archive

Alex via clamav-users wrote:
> Hi,
>
> I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
> have a newsletter from ncua.gov that keeps getting blocked because it
> apparently contains links.gd in the body somewhere, although I can't
> find it.
>
> How do I exclude this email from being tagged without having to bypass
> the Heuristics.Phishing.Email.SpoofedDomain rule altogether?

Putting aside all of the "why are you idiots sending mail that triggers
this test in the first place" grumpiness at the senders, I'd recommend
redesigning your mail flow so that this is only triggered in a Clam
instance whose results are score in SpamAssassin or some other layer
where this particular test can be scored alongside other things.

I gave up chasing FPs on it when used as a hard pass/fail check. Too
many places that should really know better... apparently don't. :/
(Seriously, why are so many places using URL shorteners as the link
targets in HTML mail? It's not like the eleventy-gazillion characters
of clicktracker are taking up visual space in the message...)

If you still want to press on, look up the ".wdb" signature file (seems
to be available at
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
now), and add lines similar to these:

X:.+\.accountonline\.com:.+\.citibank\.com
M:click.info4.accountonline.com:image.info9.citibank.com

I sometimes had to fiddle and guess and shorten and lengthen and swap
the URI elements to get it to properly match and exclude the link from
this test; good luck.

> Also, I keep deleting the main.cvd database but it keeps replacing it.
> How do I configure clamav so it only updates one of the main database
> types?
>
> clamscan -v virus-20220228T143424-suCp6LTlKRG5
> LibClamAV Warning: Detected duplicate databases
> /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
> remove one of them

O_o That's a new one on me. I don't recall ever having spontaneously
had both regenerate, and IIRC it's been a while since I've even seen the
.cvd on live systems I maintain. (At a quick look, all of them seem to
just have the .cld files.) Maybe remove the file, and run freshclam -D
to see if that gives any more detail about what's going on? Maybe
remove the .cld and see what freshclam does? Maybe remove *ALL* files
in the ClamAV database directory path, and let freshclam download
complete fresh copies of everything?

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 1 Mar 2022, Alex via clamav-users wrote:

> I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
> have a newsletter from ncua.gov that keeps getting blocked because it

The providers of Fedora do some IMHO slightly odd things with ClamAV
packaging which sometimes show up here on the mailing list. More on
that later.

> apparently contains links.gd in the body somewhere, although I can't
> find it.

How did you look?! The string is present in the message eight times.
The line numbers are shown below:

8<----------------------------------------------------------------------
$ grep -n 'lnks\.gd' EXZ1fDpK.raw
357: margin: 0 0 15px;"><a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJ=
564:ca,sans-serif"><a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxs=
571:" alt=3D"Facebook"></a> =A0 <a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1=
578:original.png" alt=3D"Twitter"></a> =A0 <a href=3D"https://lnks.gd/l/eyJhb=
586:tps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVy=
600:<p><font face=3D"arial,helvetica,sans-serif"><a href=3D"https://lnks.gd/l=
606:rel=3D"noopener">Unsubscribe</a>=A0|=A0 <a href=3D"https://lnks.gd/l/eyJh=
644:op" width=3D"95"><a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidW=
8<----------------------------------------------------------------------

> How do I exclude this email from being tagged without having to bypass
> the Heuristics.Phishing.Email.SpoofedDomain rule altogether?

Given the limitation you impose (not bypassing the rule altogether)
that's probably not a ClamAV question. You can whitelist things in
several ways. Although I've never used Amavis myself I'm sure that
you can use its whitelisting features. Try searching for something
like that in the Amavis documentation, if you don't come up with an
easy way to do it drop me a private message. (It will be rejected,
but you don't need to worry about that - I'll still read it. :)

> Also, I keep deleting the main.cvd database but it keeps replacing it.
> How do I configure clamav so it only updates one of the main database
> types?

My guess is that you somehow have two update mechanisms operating, and
that you need to stop one of them. There are probably two 'freshclam'
processes running. At a guess one of them is running 24/7 as a daemon
and the other one is running from a cron job or similar. This is what
I meant by some slightly odd things in Fedora - I think they might be
making it too easy for people to get into this position because of the
way they split up and repackage various parts of ClamAV. You might
find that it's less of an issue if you use the package from the ClamAV
Website instead of the Fedora packages, but sometimes 'management' and
'policy' and things like that intrude to make that difficult. I have
to repeat that a lot of what I've said in this paragraph is guesswork.
If it helps, great, if not please do get back to us.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 01.03.22 17:15, Alex via clamav-users wrote:
>I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
>have a newsletter from ncua.gov that keeps getting blocked because it
>apparently contains links.gd in the body somewhere, although I can't
>find it.
>
>How do I exclude this email from being tagged without having to bypass
>the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
>
>X-Amavis-Alert: INFECTED, message contains virus:
> Heuristics.Phishing.Email.SpoofedDomain

I think this can be enabled by disabling PhishingScanURLs in clamd.conf
I also think amavis has way to handle this kind of clamav result
differently, but that's question for amavis, not for clamav.

>Also, I keep deleting the main.cvd database but it keeps replacing it.
>How do I configure clamav so it only updates one of the main database
>types?
>
>clamscan -v virus-20220228T143424-suCp6LTlKRG5
>LibClamAV Warning: Detected duplicate databases
>/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
>remove one of them

do you have both of them? which one is older?
Don't you have old clamav(-freshclam) installation hanging somewhere?

>LibClamAV info: Real URL: https://lnks.gd
>LibClamAV info: Display URL: chairmanharpersfullremarksareavailableonncua.gov
>/root/quarantine/virus-20220228T143424-suCp6LTlKRG5:
>Heuristics.Phishing.Email.SpoofedDomain FOUND

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

> >How do I exclude this email from being tagged without having to bypass
> >the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
> >
> >X-Amavis-Alert: INFECTED, message contains virus:
> > Heuristics.Phishing.Email.SpoofedDomain
>
> I think this can be enabled by disabling PhishingScanURLs in clamd.conf
> I also think amavis has way to handle this kind of clamav result
> differently, but that's question for amavis, not for clamav.

I've located this amavisd entry I created many years ago and could
probably adapt to bypass this rule, but I'm not sure that's what I
want.

@virus_name_to_spam_score_maps =
(new_RE( # the order matters, first match wins
[ qr'^Heuristics.OLE2.ContainsMacros' => 1.1 ],
));

I don't believe the NCUA is using these lnk.gd links maliciously, but
perhaps that's misguided thinking, and hoped there was a way to bypass
the restriction for this sender or this email.

> >Also, I keep deleting the main.cvd database but it keeps replacing it.
> >How do I configure clamav so it only updates one of the main database
> >types?
> >
> >clamscan -v virus-20220228T143424-suCp6LTlKRG5
> >LibClamAV Warning: Detected duplicate databases
> >/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
> >remove one of them
>
> do you have both of them? which one is older?
> Don't you have old clamav(-freshclam) installation hanging somewhere?

The cld version was dated Sept 19th (since manually deleted) and the
cvd version is dated Sept 22nd. I'll have to see if it returns.

I have freshclam in a cron script, as well as the
clamav-unofficial-sigs script, but I just ran each independently and
neither created the cld version on its own.

Running freshclam manually shows:
# freshclam -v
Current working dir is /var/lib/clamav/
Loaded freshclam.dat:
version: 1
uuid: 3c2d69eb-43f9-4dc2-b65d-c765960e1b15
ClamAV update process started at Thu Mar 3 10:52:04 2022
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 0.103.5
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cld.
query_remote_database_version: daily.cvd version from DNS: 26470
daily.cld database is up-to-date (version: 26470, sigs: 1975302,
f-level: 90, builder: raynman)
fc_update_database: daily.cld already up-to-date.
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of main found: main.cvd.
query_remote_database_version: main.cvd version from DNS: 62
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level:
90, builder: sigmgr)
fc_update_database: main.cvd already up-to-date.
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.
query_remote_database_version: bytecode.cvd version from DNS: 333
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level:
63, builder: awillia2)
fc_update_database: bytecode.cvd already up-to-date.
[root@armor cron.d]# ls -lh /var/lib/clamav/main*
-rw-r--r-- 1 clamupdate clamupdate 163M Sep 22 10:01 /var/lib/clamav/main.cvd
[root@armor cron.d]# ls -l /var/lib/clamav/daily*
-rw-r--r-- 1 clamupdate clamupdate 182230528 Mar 3 06:31
/var/lib/clamav/daily.cld

There's also a reference to the cld file in /etc/freshclam.conf:
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no

btw, can I ask if people are still using the Google safebrowsing
database with the api key?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Thu, 3 Mar 2022, Alex via clamav-users wrote:

> The cld version was dated Sept 19th (since manually deleted) and the
> cvd version is dated Sept 22nd. I'll have to see if it returns.

I suspect that the cld version was created when you updated the ClamAV
utilities from the distribution's packages. I think I've seen this on
another occasion here on the list not long ago, maybe worth a search.

> btw, can I ask if people are still using the Google safebrowsing
> database with the api key?

I can only speak from my own experience. I never saw the safebrowsing
database catch anything, and When Sourcefire stopped distributing it I
stopped using it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml