newcomer01 via clamav-users wrote:
okay, now i found a permission issue.
Ubuntu sets the clamav-deamon and clamav-freshclam automatically to
chmod 0644 (in /etc/init.d/) and this is completely wrong.
I have now set chmod 0755 to this files (must run as program) and now my
wdb file is read by clamscan, but it noticed me, that this database is
malformed.
Now i have removed all new lines and comments, maybe this solve the
issue - don't know now.
Is there a detailed explanation available how to have i format this .wbd
file?
I find unfortunately the clamav.net Docu is not detailed enough.
I don't know if this is what you've already found, but there's some
documentation and examples at
<https://docs.clamav.net/manual/Signatures/PhishSigs.html>. It looks
like it should be a .wdb file, not .wbd - probably just a typo in the
few places you mention .wbd in emails, but worth checking that the
actual files do have the correct extension.
I haven't done much with ClamAV myself, so can only really point to the
documentation. The first part is described as "real hostname", which
seems to mean where the link actually leads, while the second part is
"displayed hostname", i.e. what you see when reading the email. From
your examples, I suspect you have those the wrong way round, e.g.:
M:facebook.com:mailing.sparkasse.de
Would be where you see the text "mailing.sparkasse.de" in the email but
the link actually goes to "facebook.com". I suspect it's actually the
other way around, i.e. that you see "facebook.com" in the email but the
link actually goes to "mailing.sparkasse.de" (probably then redirecting
to "facebook.com" - but it's the target of the link in the email's HTML
that matters). So try:
M:mailing.sparkasse.de:facebook.com
Also, the documentation refers to hostnames, so I think this should be
without the http:// or https:// parts. So instead of:
M:https://twitter.com:mailing.sparkasse.de
try:
M:mailing.sparkasse.de:twitter.com
As I mentioned earlier, I haven't had cause to actually try this myself,
so I might be wrong - but probably worth trying in the absence of any
more definitive advice.
I create this wdb file in this way:
exec 3> /var/lib/clamav/daily.wdb
echo 1>&3 "Some Line"
echo 1>&3 "Some Line"
echo 1>&3 "Some Line"
exec 3>&-
I'm pretty sure "Some Line" repeated 3 times in the file won't do what
you want. How you determine the content to write is rather more import
than exactly how you get those lines into the file ;o)
Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
Gesendet / Sent: Mittwoch, Januar 04, 2023 um 16:48 (at 04:48 PM) +0100
Betreff / Subject: [clamav-users] Fwd: exception rule - help needed
no one can help me?
Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
Gesendet / Sent: Dienstag, Januar 03, 2023 um 20:03 (at 08:03 PM) +0100
Betreff / Subject: [clamav-users] exception rule - help needed
Hi @ all and happy new year!
I need help to create an exception rule for my Bank e-mails.
Currently, I have a "whitelist.wbd" file in the lib folder of clamav,
but all of my rules seems not work.
Please help me to get the expected result, and it is generally no way
for me, to disable this checks for all.
# LibClamAV info: Suspicious link found!
# LibClamAV info: Real URL: https://www.facebook.com
# LibClamAV info: Display URL: https://mailing.sparkasse.de
# LibClamAV info: Suspicious link found!
# LibClamAV info: Real URL: https://twitter.com
# LibClamAV info: Display URL: https://mailing.sparkasse.de
# LibClamAV info: Suspicious link found!
# LibClamAV info: Real URL: https://www.instagram.com
# LibClamAV info: Display URL: https://mailing.sparkasse.de
# LibClamAV info: Suspicious link found!
# LibClamAV info: Real URL: https://www.youtube.com
# LibClamAV info: Display URL: https://mailing.sparkasse.de
# LibClamAV info: Suspicious link found!
# LibClamAV info: Real URL: https://play.google.com
# LibClamAV info: Display URL: https://mailing.sparkasse.de
# LibClamAV info: Suspicious link found!
# LibClamAV info: Real URL: https://apps.apple.com
# LibClamAV info: Display URL: https://mailing.sparkasse.de
#
X:(http:\/\/|https:\/\/)(.+)(facebook|twitter|instagram|youtube|play\.google|apps\.apple)(.+):(http:\/\/|https:\/\/)(.+)(sparkasse|sls\-direkt)\.de([\/?].*)?:20-
M:facebook.com:mailing.sparkasse.de
M:https://twitter.com:mailing.sparkasse.de
M:instagram.com:mailing.sparkasse.de
M:youtube.com:mailing.sparkasse.de
M:play.google.com:mailing.sparkasse.de
M:apps.apple.com:mailing.sparkasse.de
kind regards,
Marc
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
