[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com
G.W. Haywood
clamav at jubileegroup.co.uk
Wed Jun 15 15:47:48 UTC 2022
Hi there,
On Wed, 15 Jun 2022, joe a wrote:
> To semi-hijack, I was attempting to deal with my own occasional false
> positive by using this thread as a clue.
>
> Attempting to follow the docs, I hit a wall here:
>
> "To help you identify what triggered a heuristic phishing alert, clamscan or
> clamd will print a message indicating the "Display URL" and "Real URL"
> involved in a heuristic phishing alert. "
>
> I did not find such an entry in any of the "usual suspect" logs ...
You might have more luck if you use verbose options. Some logic in
libclamav/phishcheck.c
is a bit convoluted and it looks like under some circumstances there
might be reasons for not flagging a potential phish, and not logging
certain warnings. I haven't gone over it with a magnifying glass but
there are definitely more informative debug messages available to you.
If you'd like to put a couple of samples up somewhere I could take a
look at them for you.
--
73,
Ged.
More information about the clamav-users
mailing list