ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Phishing found after ClamWin 0.95.1 update
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Hi all,

An upgrade from ClamWin 0.94.1 to 0.95.1 (after complete uninstall of 0.94.1) produced four problem files in my Thunderbird e-mail folders. I checked the files against Jotti and VirusTotal, and only ClamAV found positives in both cases. Further, VirusTotal's ClamAV 0.94.1 only identified one of the suspect files as phishing whereas Jotti's ClamAV (I do not know the version) identified all as phishing. I know that ClamAV is a unix application but I do not know that there is not some correlation in the version numbers.

I sent all of my information except the files themselves (all contained sensitive information) to Luca at ClamAV because the problem seemed to arise from the upgrade to 0.95.1, a version stated to reduce false positives.

I reviewed this forum and found that I can filter out the suspect pathways from further scan in ClamWin/tools/preferences/filters/Exclude Matching Filenames, and I tried to apply the method in this way: <C>, but files in subfolders in that pathway still turned up in a subsequent scan. I next tried <C> (no period before *) with the same results.

How am I misapplying this technique and is there a better way to get ClamWin to ignore the identified phishing files?

Is there a problem with ClamWin 0.95.1 that will shortly produce an update?

Thanks in advance for any help or direction, Mike
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
I've never used ClamWin on email, but as I understand it, the ClamWin exclusions do not work on scans of individual files. This may come in to play in your situation.

Clam's version .95 (and ClamWin's port of it of course) has some additional detection functionality that makes it more sensitive than prior versions--especially in detecting virus families. They did not get enough beta testers for version .95 and have already done a version .95.1 cleanup. Also, they have lots of files to check each signature against for false positives before it is released; however, they need more Windows files. Clam's user base is still basically composed of Linux email servers, and they do a good job of supporting that base. That base isn't very concerned with Windows/Office files. Unfortunately, ClamWin is dependent upon Clam.

Regards,
View user's profileSend private message
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Hi GuitarBob,

Thanks for your response.

I understand the need for files to analyze, but the files in question are under confidentiality restraints, and I do not believe the open source investigators are ready to help shoulder my confidentiality burdens.

I am not talking about scanning individual files, but ordering a scan on the entire hard drive and controlling whether ClamWin looks down certain pathways. I would like to get the e-mail paths that lead to the identified files excluded so there isn't so much to sort through when my daily searches take place and so I don't continually get e-mails for the same files which may be false positives.

How do I properly use the <C> filter in ClamWin/tools/preferences/filters/Exclude Matching Filenames (my exact syntax was filtered out before posting, I do not know why)?

Is there a better way to control ClamWin in my instance?

Is ClamAV 0.95.1 now more sensitive to phishing e-mails than the forty-odd vendors used on Jottie and VirusTotal? (in other words, do I have a real problem?)
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
I don't think Clam is any more sensitive to phishing signatures now. Many phishers take great pains to make their phishing emails look ordinary. They are also getting better at spelling, so now and then you can get a sig that is the same as a "good" email.

As I said, I can't help much with using ClamWin for email. As for syntax, here's how I exclude the quarantine folder from my scans as an example:

C:\Documents and Settings\All Users\.clamwin\quarantine\*

Regards.
View user's profileSend private message
Anthony of Queens


Joined: 07 May 2009
Posts: 0
Location: USA
Reply with quote
Greetings All,

I too since upgrading to clamwin 0.95.1 am having the exact same symptoms namely various phishing and other spoofed errors in mozilla email.

Like Mike(99) I tried the various filters to no avail. I found no configuration parameters that would selectively not scan the mozilla email folder locations.

This is my first post as a new member. Thank you for your support and hope. Anthony
View user's profileSend private message
Problem persists
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Hi all,

I tried Guitar Bob's wildcard exclusion, and I tried copying the path as reported in ClamWin into the exclusion window inside <>, both to no avail.

It appears that I don't understand how to use the file exclusion box, or that it doesn't work. I don't have a next step at this point. Any additional help would be appreciated.

Mike
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
Did you try this simple exclusion: filename.ext (example word.exe)? If that doesn't work, then perhaps a develper can help.

Regards,
View user's profileSend private message
Anthony of Queens


Joined: 07 May 2009
Posts: 0
Location: USA
Reply with quote
Thank you for the updates.

I too confirmed I have added and am Exclude filters: *.msf and *.sbd. However, my mail folders "Business.sbd" continues to be scanned and found to contain culpable fishing and spoofed domain emails. This looks like it could be a very good and clean solution for avoiding these file types and therefore errors.

Also adding the following line to clamwin's "Additional clamscan parameters:" to the best of my knowledge continues to scan those folders to fine said culpable emails:

C:\Documents and Settings\Anthony\Application Data\Mozilla\Profiles\default\60b8z2y8.slt\Mail\pop.1and1.com\*

An example of a FOUND file follows:

"C:\Documents and Settings\Anthony\Application Data\Mozilla\Profiles\default\60b8z2y8.slt\Mail\pop.1and1.com\Business.sbd\Banking.sbd\HSBC & EmigrantDirect: Phishing.Heuristics.Email.SpoofedDomain FOUND"

I will check in a week to insure the above C: scan finds these extra email viruses.

Like others clamwin users, my email folders appeared virus free before the 0.95.1 upgrade.

Thank you in advanced for your continued support of our helpful support forum. Anthony
View user's profileSend private message
Anthony of Queens


Joined: 07 May 2009
Posts: 0
Location: USA
Reply with quote
Greetings all,

This last week's C:, D: and F: drive scans with the aforementioned exclusions and filters continue to produce said viruses.

I will monitor this discussion in hopes for upgrades and or fixes.

All the best, Anthony
View user's profileSend private message
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Hi all,

Absent any idea why my syntax was ineffective in stopping ClamWin from scanning specific files or folders, I decided to try an exhaustive list of combinations in the hopes of stumbling over syntax that works. Below is a list of what I have tried so far on one phishing suspect:

ClamWin exclusion attempts ClamWin/Tools/Preferences/Filters/Exclude Matching Filenames:


Tried first:
<C>

For excluding:
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\76qci9qb.default\Mail\Local Folders\Susquehanna Bank

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried Second:
<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried third:
<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried fourth:
<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried fifth:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried sixth:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried seventh:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email.

Tried eigthth:

<C>

ClamWin did not exclude the folder from the search nor did it identify the offending email. Absent any way to identify the offending files, parse out the files in progressively smaller folder sets until the offending file is identified.

I will post the results of this effort when I isolate the offending files. On the outside chance that the offending files are not confidential or contain secure information, who can I send them to for analysis?

Mike
View user's profileSend private messageSend e-mail
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Sorry about the posting, I forgot that my pathways would be removed by the moderator. In short, no amount of *.sbd, *, *., .*, *.*, *.default, etc worked in a <drive> scenario.

Mike
View user's profileSend private messageSend e-mail
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Hi all,

I created subfolders for the suspect folders, and sorted the emails from the suspect folders into the appropriate subfolders. Three of the original folders were now empty, except for the subfolders. ClamWin still reported a phishing suspect in these folders, which might be reasonable because ostensibly the infected email was still in a lower part of the hierarchy, but in one case none of the subfolders was likewise indicated.

If ClamWin isn't misreporting where it finds the suspected files, then I think ClamWin is having trouble with Thunderbird's structure, not its contents. In either case it is tough for an outsider to work around this ClamWin issue.

It would be nice if there was some way to get ClamWin to report the entire path and final filename of the suspect email in Thunderbird.
View user's profileSend private messageSend e-mail
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Guitar Bob,

You suggested in an earlier post that a developer could be of help here. I wrote to Luca with no response. How do we get a developer involved?

Mike
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 8
Location: USA
Reply with quote
The ClamWin developers look at these posts in the ClamWin forum as they get a chance and make note of important changes/improvements needed in ClamWin. I mentioned this so they might notice the problem. The free time they can devote to ClamWin is limited, however, so changes/improvements take some time, and they cannot address everything. Changes/improvements are usually made when Clam AV comes out with an upgrade, and they are incorporated with the Clam Linux port over to the Windows version of Clamwin.

Regards,
View user's profileSend private message
workaround
mikee99


Joined: 30 Apr 2009
Posts: 0
Location: WV
Reply with quote
Hi all,

This post is mostly for Anthony of Queens: I never found a way to make exclusions work, so I sorted the emails into continually smaller groups until I only had a dozen or so in a group, then either deleted or saved the group as pds, depending on the importance of the content. Some of the folders continued to produce phishing positives even though they were empty, so I either created a new folder with a slightly different name, transferred the contents, and then deleted the offending folder.

This will probably be my last post on this issue unless someone else pipes in to help.

Thanks, Mike
View user's profileSend private messageSend e-mail
Phishing found after ClamWin 0.95.1 update
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic