[clamav-users] Whitelisting FP domains

Reindl Harald h.reindl at thelounge.net
Thu Oct 6 10:21:40 EDT 2016



Am 06.10.2016 um 16:08 schrieb Alex:
>>> We have reports of a domain being blacklisted and we don't think it
>>> should be:
>>>
>>> LibClamAV debug: Phishcheck:Checking url
>>> http://www.hospitalitytec.com->www.hospitalitytec.com
>>
>> I think its better to keep the domain listed at the moment..
>>
>> https://www.virustotal.com/en/url/291d973f15db6a186cf6b947f15794c4b12f1846fb5969ffa4057c9f20eda7b2/analysis/1475758916/
>
> Okay, thanks, I have notified them.
>
> I have another that was just discovered. Is this a sanesecurity
> pattern and could it be a FP? There's no reference to it on virustotal
> or elsewhere:
>
> # sigtool --find-sigs winnow.spam.ts.miscspam.1025807 | sigtool --decode-sigs
> VIRUS NAME: winnow.spam.ts.miscspam.1025807
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> {STRING_ALTERNATIVE:.|/|@| |<}americanas.com.br{STRING_ALTERNATIVE:'|"| |/|=|>|

well don't add blindly signatures without distinct which ones belong to 
which clamd instance and how they should be scored or even allowed to be 
rejected

http://sanesecurity.com/usage/signatures/

winnow_spam_complete.ndb 	
Signatures to detect fraud and other malicious spam 	
FP Risk: Med



More information about the clamav-users mailing list