[clamav-users] Understanding 'Heuristics.Phishing.Email.SpoofedDomain' debug output

2020-11-11 Thread Mickey Williams via clamav-users 
Hi,
 I'm trying and failing to understand the debug output for a positive phishing 
check result coming from a legitimate email from a bank.

If I do a scan with the debug flag I get the following -

LibClamAV debug: Looking up in regex_list: www.hsbc.co.uk/
LibClamAV debug: calc_pos_with_skip: skip:16, 8 - 22 
"https://www.hsbc.co.uk","www.hsbc.co.uk/";
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 8 - 22 
"https://www.hsbc.co.uk","www.hsbc.co.uk/";
LibClamAV debug: calc_pos_with_skip:hsbc.co.uk
LibClamAV debug: Got a match: www.hsbc.co.uk/ with /ku.oc.cbsh
LibClamAV debug: Before inserting .: .www.hsbc.co.uk
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different


I understand what the Heuristics.Phishing.Email.SpoofedDomain is checking for 
and understand that most "false positives" aren't actually false positives when 
someone sends a HTML email with a HREF link target differing from a URL entered 
as the link text.

But with the above debug output I can't understand what it is trying to tell 
me. I don't see a 'false' URL being compared against.

If I look through the HTML email message for 'hsbc' I also don't see any HTML 
that uses a URL as the visible text.

Does anyone know what these two lines mean?

LibClamAV debug: Got a match: www.hsbc.co.uk/ with /ku.oc.cbsh
LibClamAV debug: Before inserting .: .www.hsbc.co.uk

Regards
Mickey Williams

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding 'Heuristics.Phishing.Email.SpoofedDomain' debug output

2020-11-11 Thread G.W. Haywood via clamav-users 

Hi there,

On Wed, 11 Nov 2020, Mickey Williams via clamav-users wrote:


I'm trying and failing to understand the debug output ...


You're not alone.  Perhaps this extract from .../libclamav/regex_list.c
will shed some light.  The last paragraph is particularly amusing. :/

...
reverse_string(bufrev);
// TODO Add this back in once we improve the regex parsing code that finds
// suffixes to add to the filter.
//
// Reviewing Coverity bug reports we found that the return value to this
// filter_search call was effectively being ignored, causing no filtering
// to occur. Fixing this issue resulted in a unit test that uses the
// following match list regex to fail when searching for `ebay.com`.:
//
// 
.+\\.paypal\\.(com|de|fr|it)([/?].*)?:.+\\.ebay\\.(at|be|ca|ch|co\\.uk|de|es|fr|ie|in|it|nl|ph|pl|com(\\.(au|cn|hk|my|sg))?)/
//
// After investigating further, this is because the regex_list_add_pattern
// call, which parses the regex for suffixes and attempts to add these to
// the filter, can't handle the `com(\\.(au|cn|hk|my|sg))?` portion of
// the regex. As a result, it only adds `ebay.at`, `ebay.be`, `ebay.ca`, up
// through `ebay.pl` into the filter). With the commented out code below
// uncommented, these suffixes not existing in the filter are treated as
// there not being a corresponding regex for ebay.com, causing no regex
// rules to be evaluated against the URL.
//
// We should get the regex parsing code working (and ensure it handles any
// other complex cases in daily.cdb) before re-enabling this code. The code
// has had no effect for 12+ years at this point, though, so it's probably
// safe to wait a bit longer without it.
//
//filter_search_rc = filter_search(&matcher->filter, (const unsigned char 
*)bufrev, buffer_len);
//if (filter_search_rc == -1) {
//free(buffer);
//free(bufrev);
///* filter says this suffix doesn't match.
// * The filter has false positives, but no false
// * negatives */
//return CL_SUCCESS;
//}
...

Incidentally your debug message claims "calc_pos_with_skip:" but the
function which emits is is actually called "get_char_at_pos_with_skip"
so I guess that at some point it's been renamed a little carelessly.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: MacOS ClamAV Configuration Errors

2020-11-11 Thread Wayne Ho via clamav-users 
Hi,

I am currently a ClamXav user looking to switch over the CLI scanner.  I
have been the installation guide
https://www.clamav.net/documents/installation-on-macos-mac-os-x, but I am
getting the following configuration error:

Waynes-Mac:clamav-0.103.0 wayne$ ./configure
--with-openssl=/usr/local/Cellar/openssl@1.1/1.1.1h
 --with-zlib=/usr/local/Cellar/zlib/1.2.11/ --with-libjson=yes
--enable-check > ~/desktop/clamav-config.err
clang: error: unsupported option '-print-multi-os-directory'
clang: error: no input files
rm: conftest.so.dSYM: is a directory
configure: error:

ERROR!  Check was configured, but not found.  Get it from
http://check.sf.net/

Note that only stderr is displayed for brevity. I am still relatively new
to CLI tools, so any assistance would be appreciated.

Thanks,

Wayne

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: MacOS ClamAV Configuration Errors

2020-11-11 Thread eric-list 
Wayne,

 

Since it looks like you are using homebrew, why not just install that:

eric@Erics-Mac-Pro ~ % brew info clamav

clamav: stable 0.103.0 (bottled), HEAD

Anti-virus software

https://www.clamav.net/

/usr/local/Cellar/clamav/0.103.0 (62 files, 448.2MB) *

  Poured from bottle on 2020-09-16 at 07:25:03

 

The error however is just a quirk of Clang on macOS, so can be disregarded.

It should build fine without the flag.

 

From: clamav-users  On Behalf Of Wayne 
Ho via clamav-users
Sent: Wednesday, November 11, 2020 3:24 PM
To: clamav-users@lists.clamav.net
Cc: Wayne Ho 
Subject: [clamav-users] Fwd: MacOS ClamAV Configuration Errors

 

Hi,

 

I am currently a ClamXav user looking to switch over the CLI scanner.  I have 
been the installation guide 
https://www.clamav.net/documents/installation-on-macos-mac-os-x, but I am 
getting the following configuration error:

 

Waynes-Mac:clamav-0.103.0 wayne$ ./configure 
--with-openssl=/usr/local/Cellar/openssl@1.1/1.1.1h 
   
--with-zlib=/usr/local/Cellar/zlib/1.2.11/ --with-libjson=yes --enable-check > 
~/desktop/clamav-config.err
clang: error: unsupported option '-print-multi-os-directory'
clang: error: no input files
rm: conftest.so.dSYM: is a directory
configure: error: 

ERROR!  Check was configured, but not found.  Get it from http://check.sf.net/

 

Note that only stderr is displayed for brevity. I am still relatively new to 
CLI tools, so any assistance would be appreciated.

 

Thanks,

 

Wayne

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: MacOS ClamAV Configuration Errors

2020-11-11 Thread eric-list 
Sorry just noticed the last line.  If you want to use check, you’ll need to 
install it.

#brew install check

 

After that, it should build fine...

 

From: clamav-users  On Behalf Of 
eric-l...@truenet.com
Sent: Wednesday, November 11, 2020 3:57 PM
To: 'ClamAV users ML' 
Subject: Re: [clamav-users] Fwd: MacOS ClamAV Configuration Errors

 

Wayne,

 

Since it looks like you are using homebrew, why not just install that:

eric@Erics-Mac-Pro ~ % brew info clamav

clamav: stable 0.103.0 (bottled), HEAD

Anti-virus software

https://www.clamav.net/

/usr/local/Cellar/clamav/0.103.0 (62 files, 448.2MB) *

  Poured from bottle on 2020-09-16 at 07:25:03

 

The error however is just a quirk of Clang on macOS, so can be disregarded.

It should build fine without the flag.

 

From: clamav-users mailto:clamav-users-boun...@lists.clamav.net> > On Behalf Of Wayne Ho via 
clamav-users
Sent: Wednesday, November 11, 2020 3:24 PM
To: clamav-users@lists.clamav.net  
Cc: Wayne Ho mailto:xintuit...@gmail.com> >
Subject: [clamav-users] Fwd: MacOS ClamAV Configuration Errors

 

Hi,

 

I am currently a ClamXav user looking to switch over the CLI scanner.  I have 
been the installation guide 
https://www.clamav.net/documents/installation-on-macos-mac-os-x, but I am 
getting the following configuration error:

 

Waynes-Mac:clamav-0.103.0 wayne$ ./configure 
--with-openssl=/usr/local/Cellar/openssl@1.1/1.1.1h 
   
--with-zlib=/usr/local/Cellar/zlib/1.2.11/ --with-libjson=yes --enable-check > 
~/desktop/clamav-config.err
clang: error: unsupported option '-print-multi-os-directory'
clang: error: no input files
rm: conftest.so.dSYM: is a directory
configure: error: 

ERROR!  Check was configured, but not found.  Get it from http://check.sf.net/

 

Note that only stderr is displayed for brevity. I am still relatively new to 
CLI tools, so any assistance would be appreciated.

 

Thanks,

 

Wayne

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml