[clamav-users] What was detected?
Paul Netpresto
paul at netpresto.co.uk
Mon Feb 27 21:24:54 UTC 2023
On 27/02/2023 20:57, joe a wrote:
> On 2/27/2023 3:52 PM, joe a wrote:
>> On 2/27/2023 3:47 PM, joe a wrote:
>>> Got an email marked as infected by clamav. I cannot determine what
>>> was detected.
>>>
>>> A long time ago I asked here and someone described how to scan an
>>> individual email file, log the results and scan the log for what was
>>> detected. Or maybe clued me in on which log I was not searching
>>> properly.
>>>
>>> Did not find that conversation it in the email archives.
>>> _______________________________________________
>>>
>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>> Well never mind that part, it is shown clearly in /var/log/clamd.log
>> as "Heuristics.Phishing.Email.SpoofedDomain".
>>
>> What I think I conflated that with the means to determine the details
>> so I can add that to a .ign* file. Something to do with debug mode
>> I think.
>>
>>
>
> Or, determine why this was detected in a valid email from a known and
> utilized credit card service. Or is it simpler to "white list" this
> sender and move on?
>
>
If you have sufficient free memory use clamscan to scan the email in
question. It should be kind enough to highlight the reason why
Heuristics.Phishing.Email.SpoofedDomain was triggered.
More information about the clamav-users
mailing list