[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Steve basford steveb_clamav at sanesecurity.com
Tue Aug 16 12:35:07 EDT 2016


Try clamscan --debug 2>debug.log and I think that should show you a domain.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 16 August 2016 17:32:31 Alex <mysqlstudent at gmail.com> wrote:

> Hi,
>
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
>
> Why doesn't it display the signature with the above command?
>
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?
>
> Thanks,
> Alex
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml





More information about the clamav-users mailing list