To further Ged's point, these signatures that are hitting are extended logical signatures. Phishing signatures have a very specific format that are either solely looking at hostnames, host prefixes, link destinations and alternate text, and displayed hostnames (https://docs.clamav.net/manual/Signatures/PhishSigs.html). When you are turning off PhishingSignatures and PhishingScanURLs, those are the signatures you are disabling. The two signatures that you've highlighted are detecting executables inside of containers (Zip or MS documents).

You can see what the signatures are looking for using sigtool:
sigtool --find-sigs Email.Phishing.VOF1-6326576-0 | awk '{ print $2 }' | sigtool --decode-sigs

sigtool --find-sigs Email.Phishing.VOF1-6295631-2 | awk '{ print $2 }' | sigtool --decode-sigs

In the first case, it's looking for a PK header at the beginning of a mail 'container' (message, attachment, etc) and then 2 or 3 capital letters, a non-word character or underscore, and then 5 to 7 numbers followed by the extension .exe.

In the second, it's looking for a PK or MZ header in a mail container and then a word boundary (non word character or end of file), followed by either FedEx, DHL, USPS, or UPS, then zero to 100 characters and then a .exe extension.

Since these are signatures detecting executables in mail, I personally think the 'Phishing' is inaccurate and would probably have used a different category, but Phishing is what they are called and that it likely the source of the confusion.

I hope this helps...
--Maarten

Signature details:
VIRUS NAME: Email.Phishing.VOF1-6326576-0
TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
LOGICAL EXPRESSION: 1
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
PK
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
     +-> TRIGGER: 0
     +-> REGEX: [A-Z]{2,3}[\W_][0-9]{5,7}\.exe
     +-> CFLAGS: (null)

VIRUS NAME: Email.Phishing.VOF1-6295631-2
TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0
LOGICAL EXPRESSION: 2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
PK
 * SUBSIG ID 1
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
MZ
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
     +-> TRIGGER: 0|1
     +-> REGEX: \b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js)
     +-> CFLAGS: (null)


On Thu, Sep 23, 2021 at 4:29 AM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
Hi there,

On Thu, 23 Sep 2021, Jim Popovitch via clamav-users wrote:
> On September 23, 2021 3:29:02 AM UTC, "Joel Esler (jesler)" <jesler@cisco.com> wrote:
>> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>
>>> ClamAV is not respecting Phishing* settings.
>>>
>>> clamd.conf:
>>>   ...
>>>   PhishingSignatures false
>>>   PhishingScanURLs false
>>>
>>>
>>> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
>>> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
>>> infected with Email.Phishing.VOF1-6326576-0;
>>> from=<Kristina.Sjostrom@walleniusmarine.com> to=<domain@domainmail.net>
>>> proto=ESMTP helo=<walleniusmarine.com>
>>>
>>> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
>>> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
>>> infected with Email.Phishing.VOF1-6295631-2; from=<mary.teo@dhl.com>
>>> to=<domain@domainmail.net> proto=ESMTP helo=<bizcloud-
>>> server.squaregroup.com>
>>
>> I am sure someone will respond about your particular issue, but are
>> you saying they are false positives?
>
> I'm saying I don't want ClamAV to do anything other than scan for
> viruses,. I have followed the ClamAV documentation and yet ClamAV is
> doing something it is configured not to do.  What other things is
> ClamAV doing then?

You misunderstand what ClamAV does.  In its assorted databases there
are millions of signatures from multiple parties.  A signature has a
name and a pattern.  ClamAV is incapable of understanding the names,
and if a party decides to call a signature "Some.Phishing.Signature",
then if the pattern in the signature matches, that's what ClamAV will
tell you was "FOUND".  But it does not know anything about the name,
and it does not filter its output based on the name.  There are many,
many signatures which are not strictly speaking "viruses".  Short of
removing them from the database yourself, you have no way to prevent
them from being used.

In addition to the database signatures there are 'heuristics' coded in
the ClamAV libraries.  See for example libclamav/phishcheck.c (or grep
all the files in the libclamav directory for 'Heuristics').  This kind
of detection does not use signatures, but looks for things in the data
which are considered suspicious.  Examples include: HTTP anchors where
the display text in the anchor is very different from the link itself;
the text displayed is https and the anchor is not; hostnames differ;
embedded numeric IP addresses.  This kind of thing can be difficult to
detect using signatures, which is why there is a chunk of code called
phishcheck.c, and it's things in this code which are disabled by your
configuration options - not signatures named in any particular way.

Why do you not want ClamAV to alert you to (what appear to me to be)
obvious scam emails?  Is it because some are false positives?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml