https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format

There are examples of the wdb format a bit lower on the page. Essentially, you would create a file "good_urls.wdb" in the same directory as the existing ClamAV database files and put in an appropriate line to handle the domains that you want to be safe.

--Maarten

On Wed, Jun 15, 2022 at 4:48 PM joe a <joea-lists@j4computers.com> wrote:

On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 15 Jun 2022, joe a wrote:
>
>> To semi-hijack, I was attempting to deal with my own occasional false
>> positive by using this thread as a clue.
>>
>> Attempting to follow the docs, I hit a wall here:
>>
>> "To help you identify what triggered a heuristic phishing alert,
>> clamscan or clamd will print a message indicating the "Display URL"
>> and "Real URL" involved in a heuristic phishing alert. "
>>
>> I did not find such an entry in any of the "usual suspect" logs ...
>

Thanks gents.

After a (good) bit of messing about, found this (names obfuscated):

****************
LibClamAV info: Real URL: https://l.infoxx.domain.com
LibClamAV info: Display URL: anotherdomain.com
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different

****************

I presume that is what needs to be added to the (a ?) WDB file, but, I
find no WDB files anywhere on my system.

Clearly, I am beyond my current knowledge.

joe a.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat