[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex mysqlstudent at gmail.com
Tue Aug 16 12:31:37 EDT 2016


I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
for capitaloneemail.com, but can't figure out how to use sigtool to
determine which actual domain it thinks was spoofed.

# sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
sigtool --decode-sigs

Why doesn't it display the signature with the above command?

How do I scan the quarantined message to find out exactly what
triggered this false positive?


More information about the clamav-users mailing list