[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP
kdeugau at vianet.ca
Tue Aug 16 12:51:49 EDT 2016
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> Why doesn't it display the signature with the above command?
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?
The Heuristics* "signatures" aren't fixed signatures in the signature
files. This particular one represents link where the visible and
link-target domain are "too different", but only for high-risk domains
(eg banks). I'm not sure where the list of domains to consider is kept.
To whitelist a specific match hit by this signature chase down the
mismatched domains as per Steve's message, and add a line to local.wdb, eg:
I have yet to figure out why I have to use an X: line for some matches,
and an M: line for others; I use one or the other depending on which
one I can get to actually work on a case-by-base basis.
More information about the clamav-users