[clamav-users] What was detected?
Paul Netpresto
paul at netpresto.co.uk
Mon Feb 27 21:38:36 UTC 2023
On 27/02/2023 21:33, joe a wrote:
> On 2/27/2023 4:24 PM, Paul Netpresto wrote:
>>
>> On 27/02/2023 20:57, joe a wrote:
>>> On 2/27/2023 3:52 PM, joe a wrote:
>>>> On 2/27/2023 3:47 PM, joe a wrote:
>>>>> Got an email marked as infected by clamav. I cannot determine
>>>>> what was detected.
>>>>>
>>>>> A long time ago I asked here and someone described how to scan an
>>>>> individual email file, log the results and scan the log for what
>>>>> was detected. Or maybe clued me in on which log I was not
>>>>> searching properly.
>>>>>
>>>>> Did not find that conversation it in the email archives.
>>>>> _______________________________________________
>>>>>
>>>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>>
>>>> Well never mind that part, it is shown clearly in
>>>> /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain".
>>>>
>>>> What I think I conflated that with the means to determine the
>>>> details so I can add that to a .ign* file. Something to do with
>>>> debug mode I think.
>>>>
>>>>
>>>
>>> Or, determine why this was detected in a valid email from a known
>>> and utilized credit card service. Or is it simpler to "white list"
>>> this sender and move on?
>>>
>>>
>> If you have sufficient free memory use clamscan to scan the email in
>> question. It should be kind enough to highlight the reason why
>> Heuristics.Phishing.Email.SpoofedDomain was triggered.
>>
>>
>
> I attempted that just now. Ran clamscan --debug -f some-email.eml
>
> After it cranks up and apparently beings actually scanning the email,
> starts cranking out errors/warnings like:
>
> Return-path: <some at body.com>: No such file or directory
> WARNING: Return-path: <some at body.com>: Can't access file
> Seems to be t
> This particular email was previously scanned and found to be possibly
> infected with "Heuristics.Phishing.Email.SpoofedDomain" and am
> attempting to determine the actual objectionable domain.
>
> Clearly I am doing something wrong.
Try clamscan some-email.eml
More information about the clamav-users
mailing list