• ClamAV
  • Installing (Linux)
    • Installing for All Users
    • Installing for Shell Account
  • Scan
  • Trouble-Shooting
    • Heuristics.Phishing.Email.SpoofedDomain FOUND
  • False Positives
  • References

ClamAV

Installing (Linux)

1. Download the latest stable release from the ClamAV Site. Full documentation for the install process is included with the distribution in the file named ./doc/clamdoc.pdf.

2. De-compress the archive and change your working folder to the de-compressed folder

Installing for All Users

Note: the 'All Users' instructions have not been confirmed. They are a summary of the instructions included in the distribution.

1. Add a clamav user and group

   # groupadd clamav
   # useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
   

2. Build and install

   $ ./configure --sysconfdir=/etc
   $ make
   # make install
   

3. Edit /etc/clamd.conf setting the options to suit

   # vi /etc/clamd.conf
   

4. Edit the configuration file, ensuring you set the location of the database (DatabaseDirectory option)

   # vi /etc/freshclam.conf
   

5. Run the clamd daemo

   $ clamd
   

Installing for Shell Account

1. Build, specifying an install location, then install

   $ ./configure --prefix=/home/myname/clamav --disable-clamav
   $ make; make install
   

2. Edit the configuration file, ensuring you set the location of the database (DatabaseDirectory option)

   $ vi ./etc/freshclam.conf
   

3. Update the virus database

   $ ~/clamav/bin/freshclam
   

4. Check the database is up-to-date by examining the date shown with the version option

   $ ~/clamav/bin/clamscan --version --database=./${DATABASE_LOCATION}
   

5. Test the installation

   $ ~/clamav/bin/clamscan --database=./${DATABASE_LOCATION} ~
   

Scan

The following will provide a default recursive scan of /media/sda1 with logging and copying of files found to be infected.

    $ mkdir infected
    $ clamscan --recursive --suppress-ok-results --log=scan.log --copy=./infected/ /media/sda1

Trouble-Shooting

Heuristics.Phishing.Email.SpoofedDomain FOUND

If you believe this error is occurring due to a false positive, you can determine the specific part of the e-mail message the heuristic scanner has reported this scan results for, by running clamscan with the --debug option and output the results to a file to examine. E.g.

$ clamscan --debug email.eml 2>result.txt

Search the results.txt file for a string similar to LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different or grep the file to pick out all the non-clean scan results so you can figure out what to search for:

$ egrep 'Phishing scan result:' result.txt | egrep -v 'Phishing scan result: Clean' -

Using your favourite editor, look back from the non-clean phishing scan result message for a line similar to LibClamAV debug: Phishcheck:Checking url. It seems the heuristic check is checking the reported URL for HTML A tags with a href attribute and img attribute referencing different websites. There will also be a line similar to LibClamAV debug: Looking up in regex_list: which lists the two sub-domain names. To whitelist those domain combinations, create a file named spoofing.wdb and place it in your ClamAV database directory (the one containing daily.cdv etc.) containing a line of the following pattern, where first-domain.tld and second-domain.tld are the entries reported alongside LibClamAV debug: Looking up in regex_list::

X:first-domain\.tld:second-domain\.tld

Escape any characters in the domain names that are special characters in regular expressions.

• https://www.clamav.net/documents/phishsigs
• https://lists.gt.net/clamav/users/73510

False Positives

Use VirusTotal.com to check how likely the file is a false positive.

If you think it is a false positive, submit it to ClamAV using the false positive submission form.

References

• ClamAV
• VirusTotal.com

---

-- Frank Dean - 15 Mar 2010

Related Topics: LinuxHintsAndTips, WindowsXP

• Viki
• Business
• Tech