Robert Allerstorfer | 2 Oct 09:25 2008
Picon

Removal of clamscan's "--no-phishing-restrictedscan" option

Hi,

clamscan 0.94 is the first version after 0.9 where the
"--no-phishing-restrictedscan" option is no more mentioned in the
output of 'clamscan -h'. However, that option has in fact been removed
earlier - at least in the 0.93.x versions that option just did nothing
when specified.

So now, there are only the options "--phishing-ssl" and
"--phishing-cloak" remaining if someone wants a higher detection rate
of *possible* phishings. However, using them did not make any
difference in my tests as without them. Edwin's mbox test file from
https://wwws.clamav.net/bugzilla/attachment.cgi?id=141
will always be detected as Phishing.Heuristics.Email.SpoofedDomain, no
matter which options are set or not.

Could someone please give any sample that demonstrates the
--phishing-* options?

Thanks,
rob.

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Török Edwin | 2 Oct 21:16 2008
Picon

Re: Removal of clamscan's "--no-phishing-restrictedscan" option

On 2008-10-02 10:25, Robert Allerstorfer wrote:
> Hi,
>
> clamscan 0.94 is the first version after 0.9 where the
> "--no-phishing-restrictedscan" option is no more mentioned in the
> output of 'clamscan -h'. However, that option has in fact been removed
> earlier - at least in the 0.93.x versions that option just did nothing
> when specified.
>
> So now, there are only the options "--phishing-ssl" and
> "--phishing-cloak" remaining if someone wants a higher detection rate
> of *possible* phishings. However, using them did not make any
> difference in my tests as without them. Edwin's mbox test file from
> https://wwws.clamav.net/bugzilla/attachment.cgi?id=141
> will always be detected as Phishing.Heuristics.Email.SpoofedDomain, no
> matter which options are set or not.
>
> Could someone please give any sample that demonstrates the
> --phishing-* options?
>   

Indeed, --phishing-ssl and --phishing-cloak should work even if the host
is not in the .pdb and
display the proper name.

I fixed this is in SVN r4220, and will be part of 0.94.1 (bug #1211).

You can have a look at these files, and scan it with a .pdb containing a
'H:example.com' line:

(Continue reading)

Robert Allerstorfer | 4 Oct 20:38 2008
Picon

Re: Removal of clamscan's "--no-phishing-restrictedscan" option

On Thu, 02 Oct 2008, 22:16 GMT+03 Török Edwin wrote:

> Indeed, --phishing-ssl and --phishing-cloak should work even if the host
> is not in the .pdb and
> display the proper name.

> I fixed this is in SVN r4220, and will be part of 0.94.1 (bug #1211).

> You can have a look at these files, and scan it with a .pdb containing a
> 'H:example.com' line:

> http://svn.clamav.net/svn/clamav-devel/trunk/unit_tests/input/phish-test-clean
> http://svn.clamav.net/svn/clamav-devel/trunk/unit_tests/input/phish-test-cloak
> http://svn.clamav.net/svn/clamav-devel/trunk/unit_tests/input/phish-test-ssl

> I've added these to the unit test too (check_clamscan.sh).

Thanks a lot for the quick fix. I can confirm that the latest SVN
version now works fine (in contrast to 0.94 and 0.93*):

[root <at> anet ~]# clamscan --phishing-cloak --phishing-ssl /root/clamav-devel-r4225/unit_tests/input/phish-test-*
/root/clamav-devel-r4225/unit_tests/input/phish-test-clean: OK
/root/clamav-devel-r4225/unit_tests/input/phish-test-cloak: OK
/root/clamav-devel-r4225/unit_tests/input/phish-test-ssl: OK

----------- SCAN SUMMARY -----------
Known viruses: 436556
Engine version: 0.94
Scanned directories: 0
Scanned files: 3
(Continue reading)

Nigel Horne | 10 Oct 11:20 2008
Picon

Announcing ClamAV 0.94.1 RC1

Folks,

We are pleased to announce the availability of the first release candidate
for ClamAV 0.94.1. 0.94.1RC1 is scheduled for release on Wednesday (15/10/08).

There will be one new feature in this release. This feature will
allow ClamAV users optionally to submit statistics to us about what they
detect in the field. We will then use this data to determine what types of
Malware/Viruses are the most detected in the field and in what geographic area they are.

Otherwise this will be a bug fix release; it will close the following bugs from
http://bugs.clamav.net (please note that this is an initial list and both it and the schedule
may change without notice):

684, 777, 828, 832, 954, 1046, 1085, 1092, 1098, 1135, 1137, 1145, 1150,
1154, 1155, 1157, 1158, 1160, 1162, 1165, 1174, 1179, 1181, 1184, 1185,
1186, 1187, 1189, 1192, 1196, 1197, 1199, 1201, 1203, 1204, 1205, 1210
1211, 1212, 1213, 1216, 1217, 1219 and 1221.

We encourage as many people as possible to test this release by downloading
it from www.clamav.net as soon as it becomes available. If you don't have
access to a test machine you can still help by downloading it and checking
for us that it compiles and links on your platform. If you do have a test
machine/model/network please help us by loading ClamAV 0.94.1RC1 and testing.

All bug reports should be filed at http://bugs.clamav.net.

We also encourage all 3rd party developers of products and distribution/port
maintainers to download and check this update so that you can go
live as soon as the full version is released.
(Continue reading)

Nigel Horne | 16 Oct 11:45 2008
Picon

Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1

Folks,

0.94.1 RC1 was published on schedule yesterday.

For details of the new features please refer to the Changelog. For an 
overview please refer to http://www.clamav.net/press/0.94.1-WhatsNew.pdf.

We encourage as many people as possible to test this release candidate by 
downloading
it from www.clamav.net. If you don't have access to a test machine you can 
still help by
downloading it and checking for us that it compiles and links on your 
platform. If you do
have a test machine/model/network please help us by loading ClamAV 0.94.1RC1 
and testing.

All bug reports should be filed at http://bugs.clamav.net.

We also encourage all 3rd party developers of products and distribution/port
maintainers to download and check this update so that you can go
live as soon as the final version is released.

Thank you for your continued support and help,

-Nigel

--

-- 
Nigel Horne, nigel.horne <at> sourcefire.com
Director of Product Management (ClamAV), Sourcefire, 
http://www.sourcefire.com
(Continue reading)


Gmane