Brent Gardner | 12 Dec 19:18 2012
Picon

Disabling ClamAV heuristic phishing checks

We were getting false positives caused by a heuristic anti-phishing 
check in ClamAV.  We'd see log messages like:

2012-12-10 09:20:05.648516500 
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:HEALT030201212100700560763005840.AMEX.MYCA <at> welcome.aexp.com:user <at> example.com

In the last month, all but one hit on this signature were for legitimate 
messages coming from American Express.

Going off of info found here: 
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I 
disabled phishing URL checks in ClamAV by restarting clamd after putting 
this line in /etc/clamd.conf:

     PhishingScanURLs no

This also disables the following ClamAV checks, which we weren't getting 
any hits on:

     Heuristics.Phishing.Email
     Heuristics.Phishing.Email.Cloaked.Null
     Heuristics.Phishing.Email.Cloaked.NumericIP
     Heuristics.Phishing.Email.Cloaked.Username
     Heuristics.Phishing.Email.SpoofedDomain
     Heuristics.Phishing.Email.SSL-Spoof
     Heuristics.Phishing.URL.Blacklisted

fyi

Brent Gardner
(Continue reading)

Eric Shubert | 13 Dec 00:53 2012
Picon

Re: Disabling ClamAV heuristic phishing checks

On 12/12/2012 11:18 AM, Brent Gardner wrote:
> We were getting false positives caused by a heuristic anti-phishing
> check in ClamAV.  We'd see log messages like:
>
> 2012-12-10 09:20:05.648516500
> simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:HEALT030201212100700560763005840.AMEX.MYCA <at> welcome.aexp.com:user <at> example.com
>
>
>
> In the last month, all but one hit on this signature were for legitimate
> messages coming from American Express.
>
> Going off of info found here:
> http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
> disabled phishing URL checks in ClamAV by restarting clamd after putting
> this line in /etc/clamd.conf:
>
>      PhishingScanURLs no
>
>
> This also disables the following ClamAV checks, which we weren't getting
> any hits on:
>
>      Heuristics.Phishing.Email
>      Heuristics.Phishing.Email.Cloaked.Null
>      Heuristics.Phishing.Email.Cloaked.NumericIP
>      Heuristics.Phishing.Email.Cloaked.Username
>      Heuristics.Phishing.Email.SpoofedDomain
>      Heuristics.Phishing.Email.SSL-Spoof
>      Heuristics.Phishing.URL.Blacklisted
(Continue reading)

Brent Gardner | 13 Dec 22:33 2012
Picon

Re: Re: Disabling ClamAV heuristic phishing checks

On 12/12/2012 04:53 PM, Eric Shubert wrote:
> On 12/12/2012 11:18 AM, Brent Gardner wrote:
>> We were getting false positives caused by a heuristic anti-phishing
>> check in ClamAV.  We'd see log messages like:
>>
>> 2012-12-10 09:20:05.648516500
>>
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:HEALT030201212100700560763005840.AMEX.MYCA <at> welcome.aexp.com:user <at> example.com 
>>
>>
>>
>>
>> In the last month, all but one hit on this signature were for legitimate
>> messages coming from American Express.
>>
>> Going off of info found here:
>> http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
>> disabled phishing URL checks in ClamAV by restarting clamd after putting
>> this line in /etc/clamd.conf:
>>
>>      PhishingScanURLs no
>>
>>
>> This also disables the following ClamAV checks, which we weren't getting
>> any hits on:
>>
>>      Heuristics.Phishing.Email
>>      Heuristics.Phishing.Email.Cloaked.Null
>>      Heuristics.Phishing.Email.Cloaked.NumericIP
>>      Heuristics.Phishing.Email.Cloaked.Username
(Continue reading)

Eric Shubert | 14 Dec 18:23 2012
Picon

Re: Disabling ClamAV heuristic phishing checks

On 12/13/2012 02:33 PM, Brent Gardner wrote:
> On 12/12/2012 04:53 PM, Eric Shubert wrote:
>> On 12/12/2012 11:18 AM, Brent Gardner wrote:
>>> We were getting false positives caused by a heuristic anti-phishing
>>> check in ClamAV.  We'd see log messages like:
>>>
>>> 2012-12-10 09:20:05.648516500
>>> simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:HEALT030201212100700560763005840.AMEX.MYCA <at> welcome.aexp.com:user <at> example.com
>>>
>>>
>>>
>>>
>>> In the last month, all but one hit on this signature were for legitimate
>>> messages coming from American Express.
>>>
>>> Going off of info found here:
>>> http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
>>> disabled phishing URL checks in ClamAV by restarting clamd after putting
>>> this line in /etc/clamd.conf:
>>>
>>>      PhishingScanURLs no
>>>
>>>
>>> This also disables the following ClamAV checks, which we weren't getting
>>> any hits on:
>>>
>>>      Heuristics.Phishing.Email
>>>      Heuristics.Phishing.Email.Cloaked.Null
>>>      Heuristics.Phishing.Email.Cloaked.NumericIP
>>>      Heuristics.Phishing.Email.Cloaked.Username
(Continue reading)

Brent Gardner | 14 Dec 19:19 2012
Picon

Re: Re: Disabling ClamAV heuristic phishing checks

On 12/14/2012 10:23 AM, Eric Shubert wrote:
> On 12/13/2012 02:33 PM, Brent Gardner wrote:
>> On 12/12/2012 04:53 PM, Eric Shubert wrote:
>>> On 12/12/2012 11:18 AM, Brent Gardner wrote:
>>>> We were getting false positives caused by a heuristic anti-phishing
>>>> check in ClamAV.  We'd see log messages like:
>>>>
>>>> 2012-12-10 09:20:05.648516500
>>>>
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:HEALT030201212100700560763005840.AMEX.MYCA <at> welcome.aexp.com:user <at> example.com 
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> In the last month, all but one hit on this signature were for 
>>>> legitimate
>>>> messages coming from American Express.
>>>>
>>>> Going off of info found here:
>>>> http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
>>>> disabled phishing URL checks in ClamAV by restarting clamd after 
>>>> putting
>>>> this line in /etc/clamd.conf:
>>>>
>>>>      PhishingScanURLs no
>>>>
>>>>
>>>> This also disables the following ClamAV checks, which we weren't 
>>>> getting
(Continue reading)

Eric Shubert | 15 Dec 03:33 2012
Picon

Re: Disabling ClamAV heuristic phishing checks

On 12/14/2012 11:19 AM, Brent Gardner wrote:
> On 12/14/2012 10:23 AM, Eric Shubert wrote:
>> On 12/13/2012 02:33 PM, Brent Gardner wrote:
>>> On 12/12/2012 04:53 PM, Eric Shubert wrote:
>>>> On 12/12/2012 11:18 AM, Brent Gardner wrote:
>>>>> We were getting false positives caused by a heuristic anti-phishing
>>>>> check in ClamAV.  We'd see log messages like:
>>>>>
>>>>> 2012-12-10 09:20:05.648516500
>>>>> simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:HEALT030201212100700560763005840.AMEX.MYCA <at> welcome.aexp.com:user <at> example.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> In the last month, all but one hit on this signature were for
>>>>> legitimate
>>>>> messages coming from American Express.
>>>>>
>>>>> Going off of info found here:
>>>>> http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
>>>>> disabled phishing URL checks in ClamAV by restarting clamd after
>>>>> putting
>>>>> this line in /etc/clamd.conf:
>>>>>
>>>>>      PhishingScanURLs no
>>>>>
>>>>>
>>>>> This also disables the following ClamAV checks, which we weren't
>>>>> getting
(Continue reading)


Gmane