[clamav-users] ClamAV is not respecting Phishing* settings.

Thu Sep 23 11:51:36 UTC 2021

On Thu, 2021-09-23 at 07:36 -0400, Maarten Broekman via clamav-users
wrote:
> To further Ged's point, these signatures that are hitting are extended
> logical signatures. Phishing signatures have a very specific format
> that are either solely looking at hostnames, host prefixes, link
> destinations and alternate text, and displayed hostnames
> (https://docs.clamav.net/manual/Signatures/PhishSigs.html). When you
> are turning off PhishingSignatures and PhishingScanURLs, those are the
> signatures you are disabling. The two signatures that you've
> highlighted are detecting executables inside of containers (Zip or MS
> documents).
> 
> You can see what the signatures are looking for using sigtool:
> > sigtool --find-sigs Email.Phishing.VOF1-6326576-0 | awk '{ print $2
> > }' | sigtool --decode-sigs
> > 
> > sigtool --find-sigs Email.Phishing.VOF1-6295631-2 | awk '{ print $2
> > }' | sigtool --decode-sigs
> 
> 
> In the first case, it's looking for a PK header at the beginning of a
> mail 'container' (message, attachment, etc) and then 2 or 3 capital
> letters, a non-word character or underscore, and then 5 to 7 numbers
> followed by the extension .exe.
> 
> In the second, it's looking for a PK or MZ header in a mail container
> and then a word boundary (non word character or end of file), followed
> by either FedEx, DHL, USPS, or UPS, then zero to 100 characters and
> then a .exe extension.
> 
> Since these are signatures detecting executables in mail, I personally
> think the 'Phishing' is inaccurate and would probably have used a
> different category, but Phishing is what they are called and that it
> likely the source of the confusion.
> 
> I hope this helps...
> --Maarten
> 
> Signature details:
> VIRUS NAME: Email.Phishing.VOF1-6326576-0
> TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
> LOGICAL EXPRESSION: 1
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> PK
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>      +-> TRIGGER: 0
>      +-> REGEX: [A-Z]{2,3}[\W_][0-9]{5,7}\.exe
>      +-> CFLAGS: (null)
> 
> VIRUS NAME: Email.Phishing.VOF1-6295631-2
> TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
> LOGICAL EXPRESSION: 2
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> PK
>  * SUBSIG ID 1
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> MZ
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>      +-> TRIGGER: 0|1
>      +-> REGEX: \b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js)
>      +-> CFLAGS: (null)
> 

Maarten, Thank you very much!  What you have provided helps me
understand this better. I agree with the Sig name being a bit confusing.
:)

I humbly withdraw my claim that ClamAV is not respecting my settings.

Thanks Ged, Maarten

-Jim P. (K4VQC)