[clamav-users] What was detected?
joe a
joea-lists at j4computers.com
Mon Feb 27 21:33:57 UTC 2023
On 2/27/2023 4:24 PM, Paul Netpresto wrote:
>
> On 27/02/2023 20:57, joe a wrote:
>> On 2/27/2023 3:52 PM, joe a wrote:
>>> On 2/27/2023 3:47 PM, joe a wrote:
>>>> Got an email marked as infected by clamav. I cannot determine what
>>>> was detected.
>>>>
>>>> A long time ago I asked here and someone described how to scan an
>>>> individual email file, log the results and scan the log for what was
>>>> detected. Or maybe clued me in on which log I was not searching
>>>> properly.
>>>>
>>>> Did not find that conversation it in the email archives.
>>>> _______________________________________________
>>>>
>>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>
>>> Well never mind that part, it is shown clearly in /var/log/clamd.log
>>> as "Heuristics.Phishing.Email.SpoofedDomain".
>>>
>>> What I think I conflated that with the means to determine the details
>>> so I can add that to a .ign* file. Something to do with debug mode
>>> I think.
>>>
>>>
>>
>> Or, determine why this was detected in a valid email from a known and
>> utilized credit card service. Or is it simpler to "white list" this
>> sender and move on?
>>
>>
> If you have sufficient free memory use clamscan to scan the email in
> question. It should be kind enough to highlight the reason why
> Heuristics.Phishing.Email.SpoofedDomain was triggered.
>
>
I attempted that just now. Ran clamscan --debug -f some-email.eml
After it cranks up and apparently beings actually scanning the email,
starts cranking out errors/warnings like:
Return-path: <some at body.com>: No such file or directory
WARNING: Return-path: <some at body.com>: Can't access file
Seems to be t
This particular email was previously scanned and found to be possibly
infected with "Heuristics.Phishing.Email.SpoofedDomain" and am
attempting to determine the actual objectionable domain.
Clearly I am doing something wrong.
More information about the clamav-users
mailing list