[clamav-users] ign2 whitelist don't work
Reindl Harald
h.reindl at thelounge.net
Sat Jul 16 11:40:13 UTC 2016
Am 16.07.2016 um 08:26 schrieb Al Varnell:
> None of those examples are signatures, they are engine driven detections
not entirely true - here are running two instances of clamd, one with
3rd party rules scored in spamassassin and the other one with the
official sigfiles - only the one with the official hits
sadly that also means move them to the scoring instance would leave not
much rules / signatures for the milter as last ressort
> You must disable Heuristics using clamd.conf and clamscan options.
that's not a useful answer since the only option is
"HeuristicScanPrecedence" which don't disable anything and so "you must
do this" without saying how is pointless
"PhishingScanURLs no" would also disable "safebrowsing.cvd" and likely
also most of the 3rd party rules
disable heuristics entirely (given there would be an an option) would
also disable "Heuristics.OLE2.ContainsMacros"
it makes no sense that you can't disable specific heuristics
_______________________________________________________
such false positives are *unacceptable* in case of the monthly account
overview and frankly i have not seen any hit which was not very likely a
false positive (as example newsletters from payment companies over
services like mailchimp)
Jul 8 14:42:49 mail-gw spamd[16295]: spamd: result: . -3 -
BAYES_50,CUST_DNSWL_5_ORG_N,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_PASS,USER_IN_DEF_DKIM_WL
Jul 8 14:42:10 mail-gw postfix/cleanup[19493]: 3rmDds0LjczB44:
milter-reject: END-OF-MESSAGE from
mta106b.pmx1.epsl1.com[142.54.244.106]: 5.7.1 Virus found or dangerous
attachment: "Heuristics.Phishing.Email.SpoofedDomain";
from=<bounce-HP2v200000155ca866916a7a126f4bbe5c7c0237 at mail.paypal.at>
to=<*****> proto=ESMTP helo=<mta106b.pmx1.epsl1.com>
Jul 8 14:42:49 mail-gw postfix/cleanup[19119]: 3rmDfY2gcSzB44:
milter-reject: END-OF-MESSAGE from
mta103b.pmx1.epsl1.com[142.54.244.103]: 5.7.1 Virus found or dangerous
attachment: "Heuristics.Phishing.Email.SpoofedDomain";
from=<bounce-HP2v200000155ca86bb84b0f98df4bbbf470a135 at mail.paypal.at>
to=<****> proto=ESMTP helo=<mta103b.pmx1.epsl1.com>
> On Jul 15, 2016, at 8:00 PM, Reindl Harald wrote:
>> Hi
>>
>> * the follwoing rules don't make anything but troubles
>> * created a ign2 file
>> * again a reject of clamav-milter
>> * tried also whitelist "Eicar-Test-Signature"
>> * also still hits
>>
>> why?!
>> _______________________________________________________
>>
>> thelounge_whitelist.ign2:
>> Heuristics.Phishing.Email.SpoofedDomain
>> Heuristics.Email.SSL-Spoof
>> Phishing.Heuristics.Email.SpoofedDomain
>> Phishing.Heuristics.Email.SSL-Spoof
>> Heuristics.Encrypted.PDF
>> _______________________________________________________
>>
>> Fri Jul 15 16:42:46 2016 -> fd[10]: Heuristics.Phishing.Email.SpoofedDomain(007f163a4f71a336e78174b48e14bc0a:10951) FOUND
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160716/00e9bd75/attachment.sig>
More information about the clamav-users
mailing list