[clamav-users] Heuristics, only on or off?
Mark Pizzolato - Clamav-Win32
clamav-win32 at subscriptions.pizzolato.net
Wed Mar 24 00:36:15 UTC 2021
On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote:
> On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote:
>
> > In log find (snipped)
>
> Full marks for reading your logs. :)
>
> > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
> >
> > and
> >
> > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
> >
> > I love the first one but loathe the second one.
>
> That's your prerogative, of course, but both are generic threat descriptions
> which are applied to a number of potential threats.
> I don't see why anyone would like one and dislike the other, but then I don't
> get sentimental about the descriptions of signatures.
>
> > Is there some secret sauce to allow discriminating between them?
>
> I don't think I understand the question.
>
> There are two distinct names for two different classes of threat.
> What exactly are you looking for that isn't provided by the names?
> Do you mean distinguishing between individual examples of the type of
> threat? Perhaps you should be looking at your log verbosity, or perhaps
> something which analyzes suspect data more thoroughly. Are these logs the
> result of scanning filesystems, scanning mail, or...?
Although these two (and possibly other Heuristics) are indeed reported
uniquely, in real cases, I get absolute false positives on the SpoofedDomain
for "legitimate" messages while I'd always want to stop the ContainsMacros
case. By "legitimate" here, I'm not saying that whatever heuristic is being
interpreted incorrectly, but merely that real email from legitimate senders
is being sent to users who expect to get that specific email.
Disabling all heuristics avoids all of these detections...
- Mark
More information about the clamav-users
mailing list