[clamav-users] ClamAV is not respecting Phishing* settings.

G.W. Haywood clamav at jubileegroup.co.uk
Thu Sep 23 08:28:58 UTC 2021 

Hi there,

On Thu, 23 Sep 2021, Jim Popovitch via clamav-users wrote:
> On September 23, 2021 3:29:02 AM UTC, "Joel Esler (jesler)" <jesler at cisco.com> wrote:
>> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users <clamav-users at lists.clamav.net> wrote:
>>>
>>> ClamAV is not respecting Phishing* settings.
>>>
>>> clamd.conf:
>>>   ...
>>>   PhishingSignatures false
>>>   PhishingScanURLs false
>>>
>>>
>>> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
>>> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
>>> infected with Email.Phishing.VOF1-6326576-0;
>>> from=<Kristina.Sjostrom at walleniusmarine.com> to=<domain at domainmail.net>
>>> proto=ESMTP helo=<walleniusmarine.com>
>>>
>>> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
>>> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
>>> infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo at dhl.com>
>>> to=<domain at domainmail.net> proto=ESMTP helo=<bizcloud-
>>> server.squaregroup.com>
>>
>> I am sure someone will respond about your particular issue, but are
>> you saying they are false positives?
>
> I'm saying I don't want ClamAV to do anything other than scan for
> viruses,. I have followed the ClamAV documentation and yet ClamAV is
> doing something it is configured not to do.  What other things is
> ClamAV doing then?

You misunderstand what ClamAV does.  In its assorted databases there
are millions of signatures from multiple parties.  A signature has a
name and a pattern.  ClamAV is incapable of understanding the names,
and if a party decides to call a signature "Some.Phishing.Signature",
then if the pattern in the signature matches, that's what ClamAV will
tell you was "FOUND".  But it does not know anything about the name,
and it does not filter its output based on the name.  There are many,
many signatures which are not strictly speaking "viruses".  Short of
removing them from the database yourself, you have no way to prevent
them from being used.

In addition to the database signatures there are 'heuristics' coded in
the ClamAV libraries.  See for example libclamav/phishcheck.c (or grep
all the files in the libclamav directory for 'Heuristics').  This kind
of detection does not use signatures, but looks for things in the data
which are considered suspicious.  Examples include: HTTP anchors where
the display text in the anchor is very different from the link itself;
the text displayed is https and the anchor is not; hostnames differ;
embedded numeric IP addresses.  This kind of thing can be difficult to
detect using signatures, which is why there is a chunk of code called
phishcheck.c, and it's things in this code which are disabled by your
configuration options - not signatures named in any particular way.

Why do you not want ClamAV to alert you to (what appear to me to be)
obvious scam emails?  Is it because some are false positives?

-- 

73,
Ged.

More information about the clamav-users mailing list