[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Kris Deugau kdeugau at vianet.ca
Tue Aug 16 12:51:49 EDT 2016


Alex wrote:
> Hi,
> 
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
> 
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
> 
> Why doesn't it display the signature with the above command?
> 
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?

The Heuristics* "signatures" aren't fixed signatures in the signature
files.  This particular one represents link where the visible and
link-target domain are "too different", but only for high-risk domains
(eg banks).  I'm not sure where the list of domains to consider is kept.

To whitelist a specific match hit by this signature chase down the
mismatched domains as per Steve's message, and add a line to local.wdb, eg:

X:\.rbc\.com:www\.rbcroyalbank\.com

or

M:trk.cp20.com:bmo.com

I have yet to figure out why I have to use an X: line for some matches,
and an M: line for others;  I use one or the other depending on which
one I can get to actually work on a case-by-base basis.

-kgd



More information about the clamav-users mailing list