[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex mysqlstudent at gmail.com
Tue Aug 25 12:41:00 EDT 2015


On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin <klin at sourcefire.com> wrote:
> As a heuristic, the generation of this detection is a result of behavioral
> detection by the ClamAV engine and not by any particular database
> signature. Unfortunately, this effectively means that sigtool is unable to
> decode the signature as there is no signature associated with this
> detection.
> Luckily, it appears you can see the domain that causes the heuristic
> detection by running clamscan on the email with the "--debug" flag. The
> debug flag causes clamscan to log the domain checks to stderr and most
> likely terminates the scan once it detects the heuristic if
> "--heuristic-scan-precedence=yes" is set as well.
> Additionally, you can provide the false positive to
> http://www.clamav.net/report/report-fp.html.

Thanks very much. I've submitted an fp, but it appears to be the result of this:

LibClamAV debug: Looking up hash
5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
LibClamAV debug: Phishcheck:URL after cleanup:
LibClamAV debug: Phishing: looking up in whitelist:
m; host-only:0
LibClamAV debug: Phishing: looking up in whitelist:
.urldefense.proofpoint.com:.www.bankofamerica.com; host-only:1
LibClamAV debug: Looking up in regex_list:
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:

Looks like the proofpoint "secure URL" product has mangled the URL so
badly that clamav can't decipher it?

In any case, how would I go about whitelisting either the sender
and/or the email the next time this happens, so I don't have to wait
for the sig team to perform an update?

For now, I've whitelisted the whole
Heuristics.Phishing.Email.SpoofedDomain rule with an ign2 entry, but I
obviously don't want to keep that permanently.

I'm using postfix with amavisd-new and spamassassin on fedora.


More information about the clamav-users mailing list