On Thu, 2021-09-23 at 07:36 -0400, Maarten Broekman via clamav-users wrote: > To further Ged's point, these signatures that are hitting are extended > logical signatures. Phishing signatures have a very specific format > that are either solely looking at hostnames, host prefixes, link > destinations and alternate text, and displayed hostnames > (https://docs.clamav.net/manual/Signatures/PhishSigs.html). When you > are turning off PhishingSignatures and PhishingScanURLs, those are the > signatures you are disabling. The two signatures that you've > highlighted are detecting executables inside of containers (Zip or MS > documents). > > You can see what the signatures are looking for using sigtool: > > sigtool --find-sigs Email.Phishing.VOF1-6326576-0 | awk '{ print $2 > > }' | sigtool --decode-sigs > > > > sigtool --find-sigs Email.Phishing.VOF1-6295631-2 | awk '{ print $2 > > }' | sigtool --decode-sigs > > > In the first case, it's looking for a PK header at the beginning of a > mail 'container' (message, attachment, etc) and then 2 or 3 capital > letters, a non-word character or underscore, and then 5 to 7 numbers > followed by the extension .exe. > > In the second, it's looking for a PK or MZ header in a mail container > and then a word boundary (non word character or end of file), followed > by either FedEx, DHL, USPS, or UPS, then zero to 100 characters and > then a .exe extension. > > Since these are signatures detecting executables in mail, I personally > think the 'Phishing' is inaccurate and would probably have used a > different category, but Phishing is what they are called and that it > likely the source of the confusion. > > I hope this helps... > --Maarten > > Signature details: > VIRUS NAME: Email.Phishing.VOF1-6326576-0 > TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0 > LOGICAL EXPRESSION: 1 > * SUBSIG ID 0 > +-> OFFSET: 0 > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > PK > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > +-> TRIGGER: 0 > +-> REGEX: [A-Z]{2,3}[\W_][0-9]{5,7}\.exe > +-> CFLAGS: (null) > > VIRUS NAME: Email.Phishing.VOF1-6295631-2 > TDB: Engine:81-255,Container:CL_TYPE_MAIL,Target:0 > LOGICAL EXPRESSION: 2 > * SUBSIG ID 0 > +-> OFFSET: 0 > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > PK > * SUBSIG ID 1 > +-> OFFSET: 0 > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > MZ > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > +-> TRIGGER: 0|1 > +-> REGEX: \b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js) > +-> CFLAGS: (null) >
Maarten, Thank you very much! What you have provided helps me understand this better. I agree with the Sig name being a bit confusing. :) I humbly withdraw my claim that ClamAV is not respecting my settings. Thanks Ged, Maarten -Jim P. (K4VQC) _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
