[clamav-users] allowlist/fixing false positive
Kris Deugau
kdeugau at vianet.ca
Tue Mar 1 23:05:30 UTC 2022
Alex via clamav-users wrote:
> Hi,
>
> I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
> have a newsletter from ncua.gov that keeps getting blocked because it
> apparently contains links.gd in the body somewhere, although I can't
> find it.
>
> How do I exclude this email from being tagged without having to bypass
> the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
Putting aside all of the "why are you idiots sending mail that triggers
this test in the first place" grumpiness at the senders, I'd recommend
redesigning your mail flow so that this is only triggered in a Clam
instance whose results are score in SpamAssassin or some other layer
where this particular test can be scored alongside other things.
I gave up chasing FPs on it when used as a hard pass/fail check. Too
many places that should really know better... apparently don't. :/
(Seriously, why are so many places using URL shorteners as the link
targets in HTML mail? It's not like the eleventy-gazillion characters
of clicktracker are taking up visual space in the message...)
If you still want to press on, look up the ".wdb" signature file (seems
to be available at
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
now), and add lines similar to these:
X:.+\.accountonline\.com:.+\.citibank\.com
M:click.info4.accountonline.com:image.info9.citibank.com
I sometimes had to fiddle and guess and shorten and lengthen and swap
the URI elements to get it to properly match and exclude the link from
this test; good luck.
> Also, I keep deleting the main.cvd database but it keeps replacing it.
> How do I configure clamav so it only updates one of the main database
> types?
>
> clamscan -v virus-20220228T143424-suCp6LTlKRG5
> LibClamAV Warning: Detected duplicate databases
> /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
> remove one of them
O_o That's a new one on me. I don't recall ever having spontaneously
had both regenerate, and IIRC it's been a while since I've even seen the
.cvd on live systems I maintain. (At a quick look, all of them seem to
just have the .cld files.) Maybe remove the file, and run freshclam -D
to see if that gives any more detail about what's going on? Maybe
remove the .cld and see what freshclam does? Maybe remove *ALL* files
in the ClamAV database directory path, and let freshclam download
complete fresh copies of everything?
-kgd
More information about the clamav-users
mailing list