Hi,
> >How do I exclude this email from being tagged without having to bypass
> >the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
> >
> >X-Amavis-Alert: INFECTED, message contains virus:
> > Heuristics.Phishing.Email.SpoofedDomain
>
> I think this can be enabled by disabling PhishingScanURLs in clamd.conf
> I also think amavis has way to handle this kind of clamav result
> differently, but that's question for amavis, not for clamav.
I've located this amavisd entry I created many years ago and could
probably adapt to bypass this rule, but I'm not sure that's what I
want.
@virus_name_to_spam_score_maps =
(new_RE( # the order matters, first match wins
[ qr'^Heuristics.OLE2.ContainsMacros' => 1.1 ],
));
I don't believe the NCUA is using these lnk.gd links maliciously, but
perhaps that's misguided thinking, and hoped there was a way to bypass
the restriction for this sender or this email.
> >Also, I keep deleting the main.cvd database but it keeps replacing it.
> >How do I configure clamav so it only updates one of the main database
> >types?
> >
> >clamscan -v virus-20220228T143424-suCp6LTlKRG5
> >LibClamAV Warning: Detected duplicate databases
> >/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
> >remove one of them
>
> do you have both of them? which one is older?
> Don't you have old clamav(-freshclam) installation hanging somewhere?
The cld version was dated Sept 19th (since manually deleted) and the
cvd version is dated Sept 22nd. I'll have to see if it returns.
I have freshclam in a cron script, as well as the
clamav-unofficial-sigs script, but I just ran each independently and
neither created the cld version on its own.
Running freshclam manually shows:
# freshclam -v
Current working dir is /var/lib/clamav/
Loaded freshclam.dat:
version: 1
uuid: 3c2d69eb-43f9-4dc2-b65d-c765960e1b15
ClamAV update process started at Thu Mar 3 10:52:04 2022
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 0.103.5
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cld.
query_remote_database_version: daily.cvd version from DNS: 26470
daily.cld database is up-to-date (version: 26470, sigs: 1975302,
f-level: 90, builder: raynman)
fc_update_database: daily.cld already up-to-date.
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of main found: main.cvd.
query_remote_database_version: main.cvd version from DNS: 62
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level:
90, builder: sigmgr)
fc_update_database: main.cvd already up-to-date.
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.
query_remote_database_version: bytecode.cvd version from DNS: 333
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level:
63, builder: awillia2)
fc_update_database: bytecode.cvd already up-to-date.
[root@armor cron.d]# ls -lh /var/lib/clamav/main*
-rw-r--r-- 1 clamupdate clamupdate 163M Sep 22 10:01 /var/lib/clamav/main.cvd
[root@armor cron.d]# ls -l /var/lib/clamav/daily*
-rw-r--r-- 1 clamupdate clamupdate 182230528 Mar 3 06:31
/var/lib/clamav/daily.cld
There's also a reference to the cld file in /etc/freshclam.conf:
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
btw, can I ask if people are still using the Google safebrowsing
database with the api key?
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
