[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Steven Morgan smorgan at sourcefire.com
Mon Jul 21 15:10:03 EDT 2014


Alessandro,

Agreed. You can submit fp's and help keep the databases current by sending
the messages to this website:

http://www.clamav.net/lang/en/sendvirus/submit-fp/


On Fri, Jul 18, 2014 at 3:28 PM, Alessandro Vesely <vesely at tana.it> wrote:

> Hi Steve,
>
> On Fri 18/Jul/2014 19:00:08 +0200 Steven Morgan wrote:
> >
> > Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/
> > directory. It contains some info on identifying the reason for the phish
> > detection and on how to write whitelist signatures.
>
> Hm... why.py doesn't seem to be up to date.  But --debug still works.
>
> > You should be able to create a local whitelist, local.wdb for
> > example, and add that to your database directory rather than
> > modifying daily.wdb.
>
> Correct, thanks.  If I create local.wdb having these three lines:
>
> M:www.facebook.com:www.sella.it
> M:plus.google.com:www.sella.it
> M:www.youtube.com:www.sella.it
>
> then the message is clean.  daily.cld already contains similar lines,
> but it seems the bank change their html more quickly than database
> maintainers can cope with :-/
>
> Note that I already know the sender is whitelisted by DNSWL by the
> time I scan.  However, keeping two engines, one of which is loaded
> without phishing signatures would seem to be overkilling, no?
>
> Any other idea?
> Ale
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>



More information about the clamav-users mailing list