[clamav-users] excluding a URL from "heueristics" scanning
joe a
joea-lists at j4computers.com
Thu Aug 11 23:10:39 UTC 2022
On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 11 Aug 2022, joe a wrote:
>
>> I do not understand why, when entering more than one URL, the first
>> line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be
>> able to match when entered "in plain text", while subsequent lines
>> seem to want actual "regex" notation (escaped "."), with only the
>> domains entered.
>>
>> At least that is what it seems takes to "run clean" when re-scanned in
>> debug mode.
>>
>> To add do the above, I found a few recent emails containing the URLs
>> in the first entry, mentioned above, that were flagged. Those emails
>> passed without notice when scanned as above. I removed that first
>> entry, scanned again and the email were flagged. I then entered those
>> URL's again, as the first line, this time in regex notation ("."
>> escaped, no "http or https"), scanned again, and it was not flagged.
>
> Post your .wdb file here?
>
In the "old days" I would not hesitate, but in the current age, I do,
simply because it is essentially "public".
Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
Or posted to some less public place?
More information about the clamav-users
mailing list