[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com
Kris Deugau
kdeugau at vianet.ca
Wed Jun 15 15:47:26 UTC 2022
joe a wrote:
> To semi-hijack, I was attempting to deal with my own occasional false
> positive by using this thread as a clue.
>
> Attempting to follow the docs, I hit a wall here:
>
> "To help you identify what triggered a heuristic phishing alert,
> clamscan or clamd will print a message indicating the "Display URL" and
> "Real URL" involved in a heuristic phishing alert. "
>
> I did not find such an entry in any of the "usual suspect" logs, so
> wondering if that means I must somehow submit the offending email for a
> manual scan, or if I simply do not know where to look?
It's only in the debug output. While I was still chasing this I just
ran clamscan --debug after the fact on the FP sample to extract the
relevant URL bits, although it was still sometimes a bit of effort to
then find the right .wdb entry to actually whitelist the match when scanned.
Some time ago I gave up on using this test in a hard pass/fail context,
largely because of exactly the class of problem reported in this thread.
Instead I have it enabled in a clamd instance that's called by a
filter processing component with enough smarts to balance a hit on this
test with other criteria.
-kgd
More information about the clamav-users
mailing list