[clamav-users] Heuristics.Phishing.Email.SpoofedDomain
Kris Deugau
kdeugau at vianet.ca
Wed Nov 15 18:23:29 UTC 2017
micah anderson wrote:
> I keep having people complaining about False Positives due to
> Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
> the reason this is happening is because of Outlook's "advanced threat
> protection" which wraps urls in a "safelink" url,
> I really didn't want to do this, but I followed
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf
>
> and I added the following to local.wdb (is this still the right place?!)
> to "whitelist" safebrowsing:
>
> X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17
>
> but people are still complaining. Did I do this wrong? Looking again at
> the documentation, it appears that it should be '17-' instead of '17',
> but I'm not sure that matters.
I don't know if the whitelist setup will let you blanket-whitelist ALL
EVARYTHING like that. Grab a sample message, and run clamscan -D on it
to find the link it's choking on. Tweak the regex in between calls -
eg, start with a specific match on the example, and gradually make it
more general. IME there are undocumented limits on what really
constitutes a "valid" entry (both in syntax and in results), so the only
way to get it right is to test and adjust until it works as expected. :/
> Is there some better way to deal with this? I do not want to turn off
> phishing protection in general.
I'd suggest moving up a layer, to whatever is calling Clam, and handle
that result differently (ie, add a header to pass on to the spam filter
rather than treat it as an absolute black/white result on its own).
-kgd
More information about the clamav-users
mailing list