[clamav-users] Proofpoint and Heuristics.Phishing.Email.SpoofedDomain
micah anderson
micah at riseup.net
Sun Mar 15 21:35:06 UTC 2020
Hi,
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
I really didn't want to do this, but I added a few entries to the
local.wdb to whitelist it:
X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-
That seemed to work for a while, but people are getting hit by it again,
it seems like the URLs changed, they used to be:
https://urldefense.proofpoint.com/v2/url?u="
the newer ones prepend
https://urldefense.com/v3/__
but that regexp should match, unless I'm misreading it. Does someone
have a better solution that works for this?
thanks!
--
micah
More information about the clamav-users
mailing list