[clamav-users] Heuristics, only on or off?
Kris Deugau
kdeugau at vianet.ca
Wed Mar 24 13:41:16 UTC 2021
Joe Acquisto-j4 wrote:
> In log find (snipped)
>
> ". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
This is enabled by the AlertOLE2Macros directive in clamd.conf
> ". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
This is enabled by the PhishingScanURLs directive in clamd.conf.
> I love the first one but loathe the second one. Is there some secret sauce to
> allow discriminating between them?
Read the man page for clamd.conf. You may have to do some testing in a
sandbox with some sample emails to determine exactly which combination
of these and several apparently related settings you want enabled.
On the systems I maintain, I found that PhishingScanURLs suffered from
too many false positives (albeit mostly on mail from senders that should
really know better - I'm looking at you, major financial institutions),
so I disabled it for hard pass/fail scanning. I set up a secondary
clamd instance with these and a number of other potentially FP-prone
options as well as a collection of variously potentially risky third
party and local signatures, but without the stock signatures. This
second instance is called from SpamAssassin for scoring instead of hard
pass/fail.
-kgd
More information about the clamav-users
mailing list