SA vs ClamAV for phishing heuristics

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-01 12:50

I was reading this thread: http://hmailserver.com/forum/viewtopic. ... 43#p206943

I didn't want to hijack the thread with my maybe dumb question. The thread sort of turned into a phishing heuristics thing. I was wondering how ClamAV compares to SA when it comes to discovering phishing attempts. I have seen at a few phishing emails get past SA. Mostly they get picked up by HMS for spf or dkim failures. Is this something SaneSecurity specializes in? Is it worth installing the clamav SA plugin?

Question 2: the clamav plugin instructions say to drop clamav.cf and clamav.pm into /etc/mail/spamassassin/. I assume that means C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin for us? (the /mail/ part threw me off).

Question 3: is the clamav perl module necessary on windows?

Last dumb question: I still plan to have hms scan messages with clamav as I have it set up now. The SA plugin won't interfere with that, correct? I'm mainly interested in the phishing aspect of SA clamav scanning (if its worthwhile vs SA alone)

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: SA vs ClamAV for phishing heuristics

Post by SorenR » 2018-10-01 13:45

palinka wrote:
2018-10-01 12:50
I was reading this thread: http://hmailserver.com/forum/viewtopic. ... 43#p206943

I didn't want to hijack the thread with my maybe dumb question. The thread sort of turned into a phishing heuristics thing. I was wondering how ClamAV compares to SA when it comes to discovering phishing attempts. I have seen at a few phishing emails get past SA. Mostly they get picked up by HMS for spf or dkim failures. Is this something SaneSecurity specializes in? Is it worth installing the clamav SA plugin?

Question 2: the clamav plugin instructions say to drop clamav.cf and clamav.pm into /etc/mail/spamassassin/. I assume that means C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin for us? (the /mail/ part threw me off).

Question 3: is the clamav perl module necessary on windows?

Last dumb question: I still plan to have hms scan messages with clamav as I have it set up now. The SA plugin won't interfere with that, correct? I'm mainly interested in the phishing aspect of SA clamav scanning (if its worthwhile vs SA alone)
SA does what it is told, so does ClamAV. Combining the two means you have to do less work defining custom rules for either :mrgreen:

A2: "C:\SpamAssassin\etc\spamassassin" on my server, same directory where your "local.cf" resides.

A3: ClamAV Perl what ?? :wink:

Last dumb answer: My HMS and my SA both check with the same instance of ClamAV. A curious fact is that sometimes HMS get a "clean" signal from ClamAV but SA does not ... Never the other way around :roll:

I've checked with ClamAV logs and calls from HMS "stream(127.0.0.1@2032)" and SA "instream(127.0.0.1@1310)" differ ... Also, HMS calls ClamAV just before OnDeliverMessage and SA just before OnAcceptMessage so it's not 100% the same content.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-01 13:55

SorenR wrote:
2018-10-01 13:45
Last dumb answer: My HMS and my SA both check with the same instance of ClamAV. A curious fact is that sometimes HMS get a "clean" signal from ClamAV but SA does not ... Never the other way around :roll:
Awesome. Thanks. The above makes sense insofar as the way I intend to use it. When HMS calls for clamav to scan a message, it only checks for viruses. When SA calls for clamav it checks for more than viruses, so it should return a value more often because it finds things other than viruses. Kind of the whole point, I think. :)

Are you happy with how it works? Do you see any improvement over SA without clamav plugin?

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: SA vs ClamAV for phishing heuristics

Post by SorenR » 2018-10-01 14:31

palinka wrote:
2018-10-01 13:55
SorenR wrote:
2018-10-01 13:45
Last dumb answer: My HMS and my SA both check with the same instance of ClamAV. A curious fact is that sometimes HMS get a "clean" signal from ClamAV but SA does not ... Never the other way around :roll:
Awesome. Thanks. The above makes sense insofar as the way I intend to use it. When HMS calls for clamav to scan a message, it only checks for viruses. When SA calls for clamav it checks for more than viruses, so it should return a value more often because it finds things other than viruses. Kind of the whole point, I think. :)

Are you happy with how it works? Do you see any improvement over SA without clamav plugin?
Yes and Yes :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: SA vs ClamAV for phishing heuristics

Post by jimimaseye » 2018-10-01 14:42

Of course it also means that you message gets sent to Clamav twice for scanning. (A good use of resources? )
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-01 14:53

OK thanks, guys. I'll set it up today.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-01 14:54

jimimaseye wrote:
2018-10-01 14:42
Of course it also means that you message gets sent to Clamav twice for scanning. (A good use of resources? )
Shouldn't be an issue on my pretty light-usage system.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-01 18:25

Code: Select all

Mon Oct  1 12:09:33 2018 [13844] error: Can't locate File/Scan/ClamAV.pm in @INC (you may need to install the File::Scan::ClamAV module) (@INC contains: lib C:\Program Files\JAM Software\SpamAssassin for Windows\runtime\lib .) at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 14.
Mon Oct  1 12:09:33 2018 [13844] warn: plugin: failed to parse plugin C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm: Can't locate File/Scan/ClamAV.pm in @INC (you may need to install the File::Scan::ClamAV module) (@INC contains: lib C:\Program Files\JAM Software\SpamAssassin for Windows\runtime\lib .) at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 14.
Mon Oct  1 12:09:33 2018 [13844] warn: BEGIN failed--compilation aborted at C: [...]\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 14.
Mon Oct  1 12:09:33 2018 [13844] warn: Compilation failed in require at Mail/SpamAssassin/PluginHandler.pm line 109.
Mon Oct  1 12:09:36 2018 [13844] warn: rules: failed to run CLAMAV test, skipping:
Mon Oct  1 12:09:36 2018 [13844] warn:  (Can't locate object method "check_clamav" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at (eval 2343) line 19.
Mon Oct  1 12:09:36 2018 [13844] warn: )
ClamAV is running and tests OK in hms.

"error: Can't locate File/Scan/ClamAV.pm" - I tried creating the folder \runtime\lib\File\Scan into which I copied clamav.pm, but still get errors:

Code: Select all

Mon Oct  1 12:23:37 2018 [6888] warn: Subroutine new redefined at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 17.
Mon Oct  1 12:23:37 2018 [6888] warn: Subroutine check_clamav redefined at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 26.
Mon Oct  1 12:23:40 2018 [6888] warn: rules: failed to run CLAMAV test, skipping:
Mon Oct  1 12:23:40 2018 [6888] warn:  (Undefined subroutine &File: [...]:Scan::ClamAV called at C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin\clamav.pm line 29.
Mon Oct  1 12:23:40 2018 [6888] warn: )
I'm clearly missing something.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: SA vs ClamAV for phishing heuristics

Post by SorenR » 2018-10-01 18:33

ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...

ClamAV.cf

Code: Select all

#loadplugin Mail::SpamAssassin::Plugin::ClamAV
loadplugin      ClamAV clamav.pm
full            CLAMAV eval:check_clamav()
describe        CLAMAV Clam AntiVirus detected a virus
score           CLAMAV 3

add_header all Virus _CLAMAVRESULT_
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-01 19:18

SorenR wrote:
2018-10-01 18:33
ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...

ClamAV.cf

Code: Select all

#loadplugin Mail::SpamAssassin::Plugin::ClamAV
loadplugin      ClamAV clamav.pm
full            CLAMAV eval:check_clamav()
describe        CLAMAV Clam AntiVirus detected a virus
score           CLAMAV 3

add_header all Virus _CLAMAVRESULT_
Both are located in \etc\spamassassin - same location as local.cf. I deleted \runtime\lib\File\New\clamav.pm since it didn't solve anything and the instructions didn't say anything about it.

What is version 2.0 of clamav.pm? I followed the instructions here: https://wiki.apache.org/spamassassin/ClamAVPlugin EXCEPT for the perl module based on your comment above: "A3: ClamAV Perl what ??" which I understood to mean that it wasn't necessary.

I googlymoogled "clamav.pm" and came across this thread which solved my problem: viewtopic.php?t=31171

The perl thingy was it. No errors starting SA now.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: SA vs ClamAV for phishing heuristics

Post by SorenR » 2018-10-02 00:52

Oh boy ... That's embarrasing ... :oops:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2018-10-02 00:54

SorenR wrote:
2018-10-02 00:52
Oh boy ... That's embarrasing ... :oops:
Well it just goes to show I should have used the search function before posting a new topic! :mrgreen:

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: SA vs ClamAV for phishing heuristics

Post by palinka » 2020-11-20 16:52

SorenR wrote:
2018-10-01 18:33
ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...

ClamAV.cf

Code: Select all

#loadplugin Mail::SpamAssassin::Plugin::ClamAV
loadplugin      ClamAV clamav.pm
full            CLAMAV eval:check_clamav()
describe        CLAMAV Clam AntiVirus detected a virus
score           CLAMAV 3

add_header all Virus _CLAMAVRESULT_
I'm still rebuilding my server. I *think* I got SA/clamav running. Just curious about this: you commented out loadplugin Mail::SpamAssassin::Plugin::ClamAV. Is this necessary?

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: SA vs ClamAV for phishing heuristics

Post by SorenR » 2020-11-20 18:20

palinka wrote:
2020-11-20 16:52
SorenR wrote:
2018-10-01 18:33
ClamAV.cf AND ClamAV.pm (version 2.0) both go into same directory as local.cf...

ClamAV.cf

Code: Select all

#loadplugin Mail::SpamAssassin::Plugin::ClamAV
loadplugin      ClamAV clamav.pm
full            CLAMAV eval:check_clamav()
describe        CLAMAV Clam AntiVirus detected a virus
score           CLAMAV 3

add_header all Virus _CLAMAVRESULT_
I'm still rebuilding my server. I *think* I got SA/clamav running. Just curious about this: you commented out loadplugin Mail::SpamAssassin::Plugin::ClamAV. Is this necessary?
I have ClamAV.pm version 2.0 in etc\spamassassin\ AND version 1.8 in lib\file\scan\ so I presume I REM'd the first line to use version 2.0 of the plugin.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SA vs ClamAV for phishing heuristics

Post by mattg » 2020-11-21 03:21

ClamV plugin in SpamAssassin is very useful when you have the excellent third party rules from Sanesecurity loaded
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply