[clamav-users] Clamd vs clamscan

Gene Heskett gheskett at wdtv.com
Wed Feb 10 16:32:52 UTC 2016 

On Wednesday 10 February 2016 10:22:44 Kris Deugau wrote:

> Gene Heskett wrote:
> > But, I do wish that clamd would send me a substitute email advising
> > that it has stashed a suspect incoming email into the
> > mailfile /var/spool/mail/virii.  I try to look that file over for
> > FP's, but quickly get lost in the visual garbage because its
> > probably a zip'd file.
>
> This depends on exactly where clamdscan is being called in your mail
> processing;  ClamAV just does a bunch of pattern matching and returns
> a result in most configurations.
>
> On my personal server, I call Clam from the MIMEDefang milter such
> that all signature-based hits get discarded sight unseen, but any hits
> on any phishing or "Heuristics" tests get a header added for
> consideration by SpamAssassin, precisely because of things like:
>
>  I just looked over 260kb of what clamd id'd as virii, but which in
>
> > fact are 5 messages from my bank about a new CC they were sending
> > me, and some 5 or 6 were propaganda from AARP. And 3 shipping
> > notices regarding stuff I bought thru ebay. In this case, an FP rate
> > in excess of 90%! That is so high that I am expunging the clamd
> > recipe from my .procmailrc as the next thing I do.  Only two files
> > containing .zip's, were real suspects, and I do have a delete
> > button.
>
> I suspect those FP hits are Heuristics.Phishing.Email.SpoofedDomain
> hits.  A lot of organizations that should really know better tend to
> trigger this with third-party mailings or promotional mailings where
> the link text says "mybank.com", but the link address is
> "tracking.example.com".

I believe that to be fairly accurate too. OTOH, I do get a lot of stuff 
that passes, which IMO is phishing so that perhaps needs help.

> -kgd

In any event, that recipe is commented out now and several spam spewer 
addresses restored to dump them into the spam folder, more as an aid to 
keep spamassassin well trained. I think it could do a better job, but at 
least I can get to review its effectiveness late in the evenings before 
sa-learn --spam is called on that directory. 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

More information about the clamav-users mailing list