[clamav-users] excluding a URL from "heueristics" scanning
G.W. Haywood
clamav at jubileegroup.co.uk
Thu Aug 11 17:17:10 UTC 2022
Hi there,
On Thu, 11 Aug 2022, joe a wrote:
> A while back discussed excluding some URL's from triggering the heueristics
> scan. Seemed to work. Postfix, spamassassin, clamav in use.
>
> Now seems some addtional URL's are involved. Perhaps I am doing something
> wrong here.
>
> Been determining (?) the offending URL's by examining the entire email using:
>
> clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt
>
> then looking for offenders using:
>
> grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt
>
> entering the URL seen in "Real URL: http://some.url" into
> "/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart
> clamd.service)
>
> I would presume re-scanning as above should no longer flag the offending
> URL(s)?
You presume a lot. The documentation seems to say otherwise:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
--
73,
Ged.
More information about the clamav-users
mailing list