[clamav-users] allowlist/fixing false positive
Alex
mysqlstudent at gmail.com
Tue Mar 1 22:15:49 UTC 2022
Hi,
I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
have a newsletter from ncua.gov that keeps getting blocked because it
apparently contains links.gd in the body somewhere, although I can't
find it.
How do I exclude this email from being tagged without having to bypass
the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
X-Amavis-Alert: INFECTED, message contains virus:
Heuristics.Phishing.Email.SpoofedDomain
Also, I keep deleting the main.cvd database but it keeps replacing it.
How do I configure clamav so it only updates one of the main database
types?
clamscan -v virus-20220228T143424-suCp6LTlKRG5
LibClamAV Warning: Detected duplicate databases
/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
remove one of them
Scanning /root/quarantine/virus-20220228T143424-suCp6LTlKRG5
LibClamAV info: Suspicious link found!
LibClamAV info: Real URL: https://lnks.gd
LibClamAV info: Display URL: chairmanharpersfullremarksareavailableonncua.gov
/root/quarantine/virus-20220228T143424-suCp6LTlKRG5:
Heuristics.Phishing.Email.SpoofedDomain FOUND
The entire email can be found here:
https://pastebin.com/EXZ1fDpK
More information about the clamav-users
mailing list