[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com
joe a
joea-lists at j4computers.com
Wed Jun 15 15:12:09 UTC 2022
On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote:
> Yea for now I just created the line as peer the doc (
> https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
> <https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format> )
> and it’s working.
>
> For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list »
> bit an « allow list of real URL and display URL that you want to allow.
>
>
> echo "M:can01.safelinks.protection.outlook.com
> <http://can01.safelinks.protection.outlook.com>:www.desjardins.com
> <http://www.desjardins.com>" >> /var/lib/clamav/local.wdb
> systemctl restart clamd
>
>
To semi-hijack, I was attempting to deal with my own occasional false
positive by using this thread as a clue.
Attempting to follow the docs, I hit a wall here:
"To help you identify what triggered a heuristic phishing alert,
clamscan or clamd will print a message indicating the "Display URL" and
"Real URL" involved in a heuristic phishing alert. "
I did not find such an entry in any of the "usual suspect" logs, so
wondering if that means I must somehow submit the offending email for a
manual scan, or if I simply do not know where to look?
Thanks for any assistance.
joe a.
More information about the clamav-users
mailing list