ClamAV false positives due to ASL.MalwareBlacklist

[prupert]

We're seeing legit messages getting blocked by ClamAV because of a hit on ASL.MalwareBlacklist.

Using the ASL.MalwareBlacklist rules ClamAV will block messages matching a regexp on the message body containing a URI with an IP address or domain from the ASL.MalwareBlacklist database. Because of that, the LogWatch notifications (which often contain references to security events found in log files) often don't get past qmail-scanner.

In a way, this could be seen as 'normal behaviour' (for all ClamAV knows, this message is in fact abusive in the sense that it contains a link to a malware site). However, is there anything we can do to make sure LogWatch messages do get delivered?

[faris]

Now there's a chicken and egg situation if ever I saw one!

I can't think of a way to resolve this without removing very useful data from the emails. In fact without that data the emails are not really much use.

But hopefully people with bigger brains than mine will be able to come up with a solution.

Faris.

[mikeshinn]

Send us an example of a logwatch message with a malware URL in it via the support portal and we'll see if we can write an exclusion into the clamav rules to allow it.

[prupert]

This is what ClamAV detects (looked up in the quarantine folder):

Code: Select all

tail <quarantinedmessagefile>

###################### LogWatch End ######################### 
*** Qmail-Scanner Quarantine Envelope Details Begin ***
X-Qmail-Scanner-Mail-From: "root@<hostname>" via <hostname>
X-Qmail-Scanner-Rcpt-To: "<lemonbit-rcpt>"
X-Qmail-Scanner: 2.08st (clamdscan: 0.96.1/11438. spamassassin: 3.2.5. perlscan: 2.08st.  virus Found. Processed in 0.128099 secs) process 20641 
Quarantine-Description: ASL.MalwareBlacklist.217.218.225.2.UNOFFICIAL
*** Qmail-Scanner Quarantine Envelope Details End ***

A grep for this blacklisted IP address returns one line from the body of this message. Note: I have replaced the dots with dollar signs in the IP address below to avoid getting blocked by a possible mod_sec rule trigger on this forum.

Code: Select all

# grep 217.218.225.2 <quarantinedmessagefile>

GET /index.php?m=http://217$218$225$2:2082/index.html? HTTP/1.1 with response code(s) 403 2 responses

[mikeshinn]

Thank you Faris. Can you zip up the actual full quarantine message, put a password on it and email it to support@atomicorp.com? Writing an exception will require the full message so we can develop an exception based on whats *not* bad so we can ignore that type of message in the future.

[faris]

Wasn't me -- was prupert.

But I'm sure he knew that and will do as you ask.

Faris.

[mikeshinn]

Doh, yes my mistake. Sorry Faris!