[clamav-users] exception rule - help needed

clamav.mbourne at spamgourmet.com clamav.mbourne at spamgourmet.com
Thu Jan 5 14:20:23 UTC 2023 

newcomer01 via clamav-users wrote:
> okay, now i found a permission issue.
> 
> Ubuntu sets the clamav-deamon and clamav-freshclam automatically to 
> chmod 0644 (in /etc/init.d/) and this is completely wrong.
> 
> I have now set chmod 0755 to this files (must run as program) and now my 
> wdb file is read by clamscan, but it noticed me, that this database is 
> malformed.
> Now i have removed all new lines and comments, maybe this solve the 
> issue - don't know now.
> 
> Is there a detailed explanation available how to have i format this .wbd 
> file?
> I find unfortunately the clamav.net Docu is not detailed enough.

I don't know if this is what you've already found, but there's some 
documentation and examples at 
<https://docs.clamav.net/manual/Signatures/PhishSigs.html>.  It looks 
like it should be a .wdb file, not .wbd - probably just a typo in the 
few places you mention .wbd in emails, but worth checking that the 
actual files do have the correct extension.

I haven't done much with ClamAV myself, so can only really point to the 
documentation.  The first part is described as "real hostname", which 
seems to mean where the link actually leads, while the second part is 
"displayed hostname", i.e. what you see when reading the email.  From 
your examples, I suspect you have those the wrong way round, e.g.:
   M:facebook.com:mailing.sparkasse.de
Would be where you see the text "mailing.sparkasse.de" in the email but 
the link actually goes to "facebook.com".  I suspect it's actually the 
other way around, i.e. that you see "facebook.com" in the email but the 
link actually goes to "mailing.sparkasse.de" (probably then redirecting 
to "facebook.com" - but it's the target of the link in the email's HTML 
that matters).  So try:
   M:mailing.sparkasse.de:facebook.com

Also, the documentation refers to hostnames, so I think this should be 
without the http:// or https:// parts.  So instead of:
   M:https://twitter.com:mailing.sparkasse.de
try:
   M:mailing.sparkasse.de:twitter.com

As I mentioned earlier, I haven't had cause to actually try this myself, 
so I might be wrong - but probably worth trying in the absence of any 
more definitive advice.

> I create this wdb file in this way:
> 
> exec 3> /var/lib/clamav/daily.wdb
> echo 1>&3 "Some Line"
> echo 1>&3 "Some Line"
> echo 1>&3 "Some Line"
> exec 3>&-

I'm pretty sure "Some Line" repeated 3 times in the file won't do what 
you want.  How you determine the content to write is rather more import 
than exactly how you get those lines into the file ;o)

> 
> 
> Von / From: Clamav User Mailinglist <mailto:clamav-users at lists.clamav.net>
> An / To: Clamav User Mailinglist <mailto:clamav-users at lists.clamav.net>
> Gesendet / Sent: Mittwoch, Januar 04, 2023 um 16:48 (at 04:48 PM) +0100
> Betreff / Subject: [clamav-users] Fwd: exception rule - help needed
> no one can help me?
> 
> 
> Von / From: Clamav User Mailinglist <mailto:clamav-users at lists.clamav.net>
> An / To: Clamav User Mailinglist <mailto:clamav-users at lists.clamav.net>
> Gesendet / Sent: Dienstag, Januar 03, 2023 um 20:03 (at 08:03 PM) +0100
> Betreff / Subject: [clamav-users] exception rule - help needed
> Hi @ all and happy new year!
> 
> I need help to create an exception rule for my Bank e-mails.
> 
> Currently, I have a "whitelist.wbd" file in the lib folder of clamav, 
> but all of my rules seems not work.
> Please help me to get the expected result, and it is generally no way 
> for me, to disable this checks for all.
> 
>> # LibClamAV info: Suspicious link found!
>> # LibClamAV info:   Real URL:    https://www.facebook.com
>> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
>> # LibClamAV info: Suspicious link found!
>> # LibClamAV info:   Real URL:    https://twitter.com
>> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
>> # LibClamAV info: Suspicious link found!
>> # LibClamAV info:   Real URL:    https://www.instagram.com
>> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
>> # LibClamAV info: Suspicious link found!
>> # LibClamAV info:   Real URL:    https://www.youtube.com
>> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
>> # LibClamAV info: Suspicious link found!
>> # LibClamAV info:   Real URL:    https://play.google.com
>> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
>> # LibClamAV info: Suspicious link found!
>> # LibClamAV info:   Real URL:    https://apps.apple.com
>> # LibClamAV info:   Display URL: https://mailing.sparkasse.de
>> #
>> X:(http:\/\/|https:\/\/)(.+)(facebook|twitter|instagram|youtube|play\.google|apps\.apple)(.+):(http:\/\/|https:\/\/)(.+)(sparkasse|sls\-direkt)\.de([\/?].*)?:20- 
>>
>> M:facebook.com:mailing.sparkasse.de
>> M:https://twitter.com:mailing.sparkasse.de
>> M:instagram.com:mailing.sparkasse.de
>> M:youtube.com:mailing.sparkasse.de
>> M:play.google.com:mailing.sparkasse.de
>> M:apps.apple.com:mailing.sparkasse.de
> 
> kind regards,
> Marc

More information about the clamav-users mailing list