clamav-users August 2007 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Possible problem with Phishing.

Re: [Clamav-users] Possible problem with Phishing.Heuristics.Email.SpoofedDomain daily sigs 4054

From: John W. Baxter <jwblist3_at_nospam>
Date: Mon Aug 27 2007 - 21:59:21 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


Problem seems not to be a ClamAV problem, but ours. Sorry for the noise.

On 8/24/07 2:12 PM, "John W. Baxter" <jwblist3@olympus.net> wrote:

> Daily sigs: 4054; main 44. ClamAv 0.91.2-1
>
> Installed on CentOS-4.5 from Dag's packages. Freshly updated via the
> packages from the ancient 0.90-2 (also Dag's).
>
> Called via pyclamav (rebuilt to matching libclamav) in our own code.

Before this escalates further, I need to say: "Oops".

I'm pretty sure our problem lies with us, in particular with our use of pyclamav. pyclamav calls

ret = cl_scanfile(file_to_scan, &virname, &size, root, &limits, CL_SCAN_STDOPT); I haven't looked yet, but I'm guessing that that CL_SCAN_STDOPT (as of some recent ClamAV version) turns on the Phishing URL heuristic detection code.

I'm pretty sure our solution will be to switch to pyclamd instead, whereupon the daemon's careful attention to our clamd.conf settings will correct our problem. (Yes, we could hack pyclamav to pass different flags, but that seems not to be the right approach)

Unless I totally do not understand, this is ***not*** a ClamAv problem, but rather our failure to follow the pyclamav project's rather strong suggestion to switch to pyclamd.

Noel, your
> Setting "PhishingScanURLs no" definitely works on my FreeBSD
> system. Note if you are using clamscan you need to use the
> "--no-phishing-scan-urls" command line option.

caused me to read the pyclamav source code and see the call above.

  --John



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html