[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Kevin Lin klin at sourcefire.com
Tue Aug 25 11:48:43 EDT 2015

As a heuristic, the generation of this detection is a result of behavioral
detection by the ClamAV engine and not by any particular database
signature. Unfortunately, this effectively means that sigtool is unable to
decode the signature as there is no signature associated with this

Luckily, it appears you can see the domain that causes the heuristic
detection by running clamscan on the email with the "--debug" flag. The
debug flag causes clamscan to log the domain checks to stderr and most
likely terminates the scan once it detects the heuristic if
"--heuristic-scan-precedence=yes" is set as well.

Additionally, you can provide the false positive to


On Tue, Aug 25, 2015 at 6:36 AM, Alex <mysqlstudent at gmail.com> wrote:

> Hi,
> I have an email with an apparent false-positive spoofed domain. How
> can I determine what domain it is that clamscan thinks is spoofed and
> correct it?
> I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to
> decode a false-positive, but no signature or other details are given.
> Thanks,
> Alex
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list