[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex mysqlstudent at gmail.com
Tue Aug 25 12:41:00 EDT 2015


Hi,

On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin <klin at sourcefire.com> wrote:
> As a heuristic, the generation of this detection is a result of behavioral
> detection by the ClamAV engine and not by any particular database
> signature. Unfortunately, this effectively means that sigtool is unable to
> decode the signature as there is no signature associated with this
> detection.
>
> Luckily, it appears you can see the domain that causes the heuristic
> detection by running clamscan on the email with the "--debug" flag. The
> debug flag causes clamscan to log the domain checks to stderr and most
> likely terminates the scan once it detects the heuristic if
> "--heuristic-scan-precedence=yes" is set as well.
>
> Additionally, you can provide the false positive to
> http://www.clamav.net/report/report-fp.html.

Thanks very much. I've submitted an fp, but it appears to be the result of this:

LibClamAV debug: Looking up hash
5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
urldefense.
proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
LibClamAV debug: Phishcheck:URL after cleanup:
https://urldefense.proofpoint.com->http://www.bankofamerica.com
LibClamAV debug: Phishing: looking up in whitelist:
https://urldefense.proofpoint.com:http://www.bankofamerica.co
m; host-only:0
LibClamAV debug: Phishing: looking up in whitelist:
.urldefense.proofpoint.com:.www.bankofamerica.com; host-only:1
LibClamAV debug: Looking up in regex_list:
urldefense.proofpoint.com:www.bankofamerica.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain

Looks like the proofpoint "secure URL" product has mangled the URL so
badly that clamav can't decipher it?

In any case, how would I go about whitelisting either the sender
and/or the email the next time this happens, so I don't have to wait
for the sig team to perform an update?

For now, I've whitelisted the whole
Heuristics.Phishing.Email.SpoofedDomain rule with an ign2 entry, but I
obviously don't want to keep that permanently.

I'm using postfix with amavisd-new and spamassassin on fedora.

Thanks,
Alex



More information about the clamav-users mailing list