We're seeing legit messages getting blocked by ClamAV because of a hit on ASL.MalwareBlacklist.
Using the ASL.MalwareBlacklist rules ClamAV will block messages matching a regexp on the message body containing a URI with an IP address or domain from the ASL.MalwareBlacklist database. Because of that, the LogWatch notifications (which often contain references to security events found in log files) often don't get past qmail-scanner.
In a way, this could be seen as 'normal behaviour' (for all ClamAV knows, this message is in fact abusive in the sense that it contains a link to a malware site). However, is there anything we can do to make sure LogWatch messages do get delivered?
ClamAV false positives due to ASL.MalwareBlacklist
ClamAV false positives due to ASL.MalwareBlacklist
Lemonbit Internet Dedicated Server Management
Re: ClamAV false positives due to ASL.MalwareBlacklist
Now there's a chicken and egg situation if ever I saw one!
I can't think of a way to resolve this without removing very useful data from the emails. In fact without that data the emails are not really much use.
But hopefully people with bigger brains than mine will be able to come up with a solution.
Faris.
I can't think of a way to resolve this without removing very useful data from the emails. In fact without that data the emails are not really much use.
But hopefully people with bigger brains than mine will be able to come up with a solution.
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ClamAV false positives due to ASL.MalwareBlacklist
Send us an example of a logwatch message with a malware URL in it via the support portal and we'll see if we can write an exclusion into the clamav rules to allow it.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ClamAV false positives due to ASL.MalwareBlacklist
This is what ClamAV detects (looked up in the quarantine folder):
A grep for this blacklisted IP address returns one line from the body of this message. Note: I have replaced the dots with dollar signs in the IP address below to avoid getting blocked by a possible mod_sec rule trigger on this forum.
Code: Select all
tail <quarantinedmessagefile>
###################### LogWatch End #########################
*** Qmail-Scanner Quarantine Envelope Details Begin ***
X-Qmail-Scanner-Mail-From: "root@<hostname>" via <hostname>
X-Qmail-Scanner-Rcpt-To: "<lemonbit-rcpt>"
X-Qmail-Scanner: 2.08st (clamdscan: 0.96.1/11438. spamassassin: 3.2.5. perlscan: 2.08st. virus Found. Processed in 0.128099 secs) process 20641
Quarantine-Description: ASL.MalwareBlacklist.217.218.225.2.UNOFFICIAL
*** Qmail-Scanner Quarantine Envelope Details End ***
Code: Select all
# grep 217.218.225.2 <quarantinedmessagefile>
GET /index.php?m=http://217$218$225$2:2082/index.html? HTTP/1.1 with response code(s) 403 2 responses
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ClamAV false positives due to ASL.MalwareBlacklist
Thank you Faris. Can you zip up the actual full quarantine message, put a password on it and email it to support@atomicorp.com? Writing an exception will require the full message so we can develop an exception based on whats *not* bad so we can ignore that type of message in the future.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ClamAV false positives due to ASL.MalwareBlacklist
Wasn't me -- was prupert.
But I'm sure he knew that and will do as you ask.
Faris.
But I'm sure he knew that and will do as you ask.
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ClamAV false positives due to ASL.MalwareBlacklist
Doh, yes my mistake. Sorry Faris!
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone