[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Alessandro Vesely vesely at tana.it
Fri Jul 18 15:28:28 EDT 2014


Hi Steve,

On Fri 18/Jul/2014 19:00:08 +0200 Steven Morgan wrote:
> 
> Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/
> directory. It contains some info on identifying the reason for the phish
> detection and on how to write whitelist signatures.

Hm... why.py doesn't seem to be up to date.  But --debug still works.

> You should be able to create a local whitelist, local.wdb for
> example, and add that to your database directory rather than
> modifying daily.wdb.

Correct, thanks.  If I create local.wdb having these three lines:

M:www.facebook.com:www.sella.it
M:plus.google.com:www.sella.it
M:www.youtube.com:www.sella.it

then the message is clean.  daily.cld already contains similar lines,
but it seems the bank change their html more quickly than database
maintainers can cope with :-/

Note that I already know the sender is whitelisted by DNSWL by the
time I scan.  However, keeping two engines, one of which is loaded
without phishing signatures would seem to be overkilling, no?

Any other idea?
Ale



More information about the clamav-users mailing list