[clamav-users] allowlist/fixing false positive
Matus UHLAR - fantomas
uhlar at fantomas.sk
Thu Mar 3 11:50:54 UTC 2022
On 01.03.22 17:15, Alex via clamav-users wrote:
>I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
>have a newsletter from ncua.gov that keeps getting blocked because it
>apparently contains links.gd in the body somewhere, although I can't
>find it.
>
>How do I exclude this email from being tagged without having to bypass
>the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
>
>X-Amavis-Alert: INFECTED, message contains virus:
> Heuristics.Phishing.Email.SpoofedDomain
I think this can be enabled by disabling PhishingScanURLs in clamd.conf
I also think amavis has way to handle this kind of clamav result
differently, but that's question for amavis, not for clamav.
>Also, I keep deleting the main.cvd database but it keeps replacing it.
>How do I configure clamav so it only updates one of the main database
>types?
>
>clamscan -v virus-20220228T143424-suCp6LTlKRG5
>LibClamAV Warning: Detected duplicate databases
>/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
>remove one of them
do you have both of them? which one is older?
Don't you have old clamav(-freshclam) installation hanging somewhere?
>LibClamAV info: Real URL: https://lnks.gd
>LibClamAV info: Display URL: chairmanharpersfullremarksareavailableonncua.gov
>/root/quarantine/virus-20220228T143424-suCp6LTlKRG5:
>Heuristics.Phishing.Email.SpoofedDomain FOUND
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
More information about the clamav-users
mailing list