[clamav-users] excluding a URL from "heueristics" scanning

joe a joea-lists at j4computers.com
Fri Aug 12 01:43:14 UTC 2022 

On 8/11/2022 7:10 PM, joe a wrote:
> On 8/11/2022 6:34 PM, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Thu, 11 Aug 2022, joe a wrote:
>>
>>> I do not understand why, when entering more than one URL, the first 
>>> line in my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to 
>>> be able to match when entered "in plain text", while subsequent lines 
>>> seem to want actual "regex" notation (escaped "."), with only the 
>>> domains entered.
>>>
>>> At least that is what it seems takes to "run clean" when re-scanned 
>>> in debug mode.
>>>
>>> To add do the above, I found a few recent emails containing the URLs 
>>> in the first entry, mentioned above, that were flagged.  Those emails 
>>> passed without notice when scanned as above.  I removed that first 
>>> entry, scanned again and the email were flagged.  I then entered 
>>> those URL's again, as the first line, this time in regex notation 
>>> ("." escaped, no "http or https"), scanned again, and it was not 
>>> flagged.
>>
>> Post your .wdb file here?
>>
> 
> In the "old days" I would not hesitate, but in the current age, I do, 
> simply because it is essentially "public".
> 
> Would somewhat obfuscated be OK? Sent "off list" to volunteer victims?
> Or posted to some less public place?
> 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

Having take the (rhetorical) purple pill . . . and written and though 
better of several rambling and vacuous screeds . . . I post the contents 
of an obfuscated "/my/install/location/gud-uns.wdb".  Please hold the 
cheers and applause, I won't hear them anyway.

X:l\.data99\.bingo\.com:bingobank\.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com

The above appears to work for scanning with clamd or clamscan (in debug 
mode).

X:http://data99.bingo.com:http://bingobank.com
X:go\.sumcc:sumccexpanded\.com
X:m\.sumcc:cdaas\.sumccexpanded\.com
X:go\.sumcc:cdaas\.sumccexpanded\.com

The above appears to work scanning with clamscan, but, formatting the 
last three lines as the first line, fails to pass those three.

In any case, I am OK with it working with formatting as the first 
example, but the oddity of the second cited example, an outgrowth of my 
first foray into this, kind of stumbled me.

Is it known behavior? An anomaly of my formatting?  A bug?

More information about the clamav-users mailing list