SA vs ClamAV for phishing heuristics
SA vs ClamAV for phishing heuristics
I was reading this thread: http://hmailserver.com/forum/viewtopic. ... 43#p206943
I didn't want to hijack the thread with my maybe dumb question. The thread sort of turned into a phishing heuristics thing. I was wondering how ClamAV compares to SA when it comes to discovering phishing attempts. I have seen at a few phishing emails get past SA. Mostly they get picked up by HMS for spf or dkim failures. Is this something SaneSecurity specializes in? Is it worth installing the clamav SA plugin?
Question 2: the clamav plugin instructions say to drop clamav.cf and clamav.pm into /etc/mail/spamassassin/. I assume that means C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin for us? (the /mail/ part threw me off).
Question 3: is the clamav perl module necessary on windows?
Last dumb question: I still plan to have hms scan messages with clamav as I have it set up now. The SA plugin won't interfere with that, correct? I'm mainly interested in the phishing aspect of SA clamav scanning (if its worthwhile vs SA alone)
I didn't want to hijack the thread with my maybe dumb question. The thread sort of turned into a phishing heuristics thing. I was wondering how ClamAV compares to SA when it comes to discovering phishing attempts. I have seen at a few phishing emails get past SA. Mostly they get picked up by HMS for spf or dkim failures. Is this something SaneSecurity specializes in? Is it worth installing the clamav SA plugin?
Question 2: the clamav plugin instructions say to drop clamav.cf and clamav.pm into /etc/mail/spamassassin/. I assume that means C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin for us? (the /mail/ part threw me off).
Question 3: is the clamav perl module necessary on windows?
Last dumb question: I still plan to have hms scan messages with clamav as I have it set up now. The SA plugin won't interfere with that, correct? I'm mainly interested in the phishing aspect of SA clamav scanning (if its worthwhile vs SA alone)
Re: SA vs ClamAV for phishing heuristics
SA does what it is told, so does ClamAV. Combining the two means you have to do less work defining custom rules for eitherpalinka wrote: ↑2018-10-01 12:50I was reading this thread: http://hmailserver.com/forum/viewtopic. ... 43#p206943
I didn't want to hijack the thread with my maybe dumb question. The thread sort of turned into a phishing heuristics thing. I was wondering how ClamAV compares to SA when it comes to discovering phishing attempts. I have seen at a few phishing emails get past SA. Mostly they get picked up by HMS for spf or dkim failures. Is this something SaneSecurity specializes in? Is it worth installing the clamav SA plugin?
Question 2: the clamav plugin instructions say to drop clamav.cf and clamav.pm into /etc/mail/spamassassin/. I assume that means C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin for us? (the /mail/ part threw me off).
Question 3: is the clamav perl module necessary on windows?
Last dumb question: I still plan to have hms scan messages with clamav as I have it set up now. The SA plugin won't interfere with that, correct? I'm mainly interested in the phishing aspect of SA clamav scanning (if its worthwhile vs SA alone)
A2: "C:\SpamAssassin\etc\spamassassin" on my server, same directory where your "local.cf" resides.
A3: ClamAV Perl what ??
Last dumb answer: My HMS and my SA both check with the same instance of ClamAV. A curious fact is that sometimes HMS get a "clean" signal from ClamAV but SA does not ... Never the other way around
I've checked with ClamAV logs and calls from HMS "stream(127.0.0.1@2032)" and SA "instream(127.0.0.1@1310)" differ ... Also, HMS calls ClamAV just before OnDeliverMessage and SA just before OnAcceptMessage so it's not 100% the same content.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: SA vs ClamAV for phishing heuristics
Awesome. Thanks. The above makes sense insofar as the way I intend to use it. When HMS calls for clamav to scan a message, it only checks for viruses. When SA calls for clamav it checks for more than viruses, so it should return a value more often because it finds things other than viruses. Kind of the whole point, I think.
Are you happy with how it works? Do you see any improvement over SA without clamav plugin?
Re: SA vs ClamAV for phishing heuristics
Yes and Yespalinka wrote: ↑2018-10-01 13:55Awesome. Thanks. The above makes sense insofar as the way I intend to use it. When HMS calls for clamav to scan a message, it only checks for viruses. When SA calls for clamav it checks for more than viruses, so it should return a value more often because it finds things other than viruses. Kind of the whole point, I think.
Are you happy with how it works? Do you see any improvement over SA without clamav plugin?
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
- jimimaseye
- Moderator
- Posts: 10060
- Joined: 2011-09-08 17:48
Re: SA vs ClamAV for phishing heuristics
Of course it also means that you message gets sent to Clamav twice for scanning. (A good use of resources? )
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: SA vs ClamAV for phishing heuristics
OK thanks, guys. I'll set it up today.
Re: SA vs ClamAV for phishing heuristics
Shouldn't be an issue on my pretty light-usage system.jimimaseye wrote: ↑2018-10-01 14:42Of course it also means that you message gets sent to Clamav twice for scanning. (A good use of resources? )
Re: SA vs ClamAV for phishing heuristics
Code: Select all
Mon Oct 1 12:09:33 2018 [13844] error: Can't locate File/Scan/ClamAV.pm in @INC (you may need to install the File::Scan::ClamAV module) (@INC contains: lib C:\Program Files\JAM Software\SpamAssassin for Windows\runtime\lib .) at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 14.
Mon Oct 1 12:09:33 2018 [13844] warn: plugin: failed to parse plugin C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm: Can't locate File/Scan/ClamAV.pm in @INC (you may need to install the File::Scan::ClamAV module) (@INC contains: lib C:\Program Files\JAM Software\SpamAssassin for Windows\runtime\lib .) at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 14.
Mon Oct 1 12:09:33 2018 [13844] warn: BEGIN failed--compilation aborted at C: [...]\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 14.
Mon Oct 1 12:09:33 2018 [13844] warn: Compilation failed in require at Mail/SpamAssassin/PluginHandler.pm line 109.
Mon Oct 1 12:09:36 2018 [13844] warn: rules: failed to run CLAMAV test, skipping:
Mon Oct 1 12:09:36 2018 [13844] warn: (Can't locate object method "check_clamav" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at (eval 2343) line 19.
Mon Oct 1 12:09:36 2018 [13844] warn: )
"error: Can't locate File/Scan/ClamAV.pm" - I tried creating the folder \runtime\lib\File\Scan into which I copied clamav.pm, but still get errors:
Code: Select all
Mon Oct 1 12:23:37 2018 [6888] warn: Subroutine new redefined at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 17.
Mon Oct 1 12:23:37 2018 [6888] warn: Subroutine check_clamav redefined at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 26.
Mon Oct 1 12:23:40 2018 [6888] warn: rules: failed to run CLAMAV test, skipping:
Mon Oct 1 12:23:40 2018 [6888] warn: (Undefined subroutine &File: [...]:Scan::ClamAV called at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 29.
Mon Oct 1 12:23:40 2018 [6888] warn: )
Re: SA vs ClamAV for phishing heuristics
ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...
ClamAV.cf
ClamAV.cf
Code: Select all
#loadplugin Mail::SpamAssassin::Plugin::ClamAV
loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected a virus
score CLAMAV 3
add_header all Virus _CLAMAVRESULT_
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: SA vs ClamAV for phishing heuristics
Both are located in \etc\spamassassin - same location as local.cf. I deleted \runtime\lib\File\New\clamav.pm since it didn't solve anything and the instructions didn't say anything about it.SorenR wrote: ↑2018-10-01 18:33ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...
ClamAV.cfCode: Select all
#loadplugin Mail::SpamAssassin::Plugin::ClamAV loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected a virus score CLAMAV 3 add_header all Virus _CLAMAVRESULT_
What is version 2.0 of clamav.pm? I followed the instructions here: https://wiki.apache.org/spamassassin/ClamAVPlugin EXCEPT for the perl module based on your comment above: "A3: ClamAV Perl what ??" which I understood to mean that it wasn't necessary.
I googlymoogled "clamav.pm" and came across this thread which solved my problem: viewtopic.php?t=31171
The perl thingy was it. No errors starting SA now.
Re: SA vs ClamAV for phishing heuristics
Oh boy ... That's embarrasing ...
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: SA vs ClamAV for phishing heuristics
I'm still rebuilding my server. I *think* I got SA/clamav running. Just curious about this: you commented out loadplugin Mail::SpamAssassin::Plugin::ClamAV. Is this necessary?SorenR wrote: ↑2018-10-01 18:33ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...
ClamAV.cfCode: Select all
#loadplugin Mail::SpamAssassin::Plugin::ClamAV loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected a virus score CLAMAV 3 add_header all Virus _CLAMAVRESULT_
Re: SA vs ClamAV for phishing heuristics
I have ClamAV.pm version 2.0 in etc\spamassassin\ AND version 1.8 in lib\file\scan\ so I presume I REM'd the first line to use version 2.0 of the plugin.palinka wrote: ↑2020-11-20 16:52I'm still rebuilding my server. I *think* I got SA/clamav running. Just curious about this: you commented out loadplugin Mail::SpamAssassin::Plugin::ClamAV. Is this necessary?SorenR wrote: ↑2018-10-01 18:33ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...
ClamAV.cfCode: Select all
#loadplugin Mail::SpamAssassin::Plugin::ClamAV loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected a virus score CLAMAV 3 add_header all Virus _CLAMAVRESULT_
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: SA vs ClamAV for phishing heuristics
ClamV plugin in SpamAssassin is very useful when you have the excellent third party rules from Sanesecurity loaded
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation