jordi garcia wrote: > Hello, > > I'm trying to add some values to whitelist following phishsigs_howto.pdf > doc. It's a simple conf, but it doesn't work. > > With 'clamscan --debug email.file' command capture: > > LibClamAV debug: Phishcheck:Checking url > http://ad.doubleclick.net/clk;77451406;6134080;d?http://www.correo.movistar.es/do/isp/assistant/login?isp=terra > ->aquí. > LibClamAV debug: Phishcheck:URL after cleanup: > http://ad.doubleclick.net/->aquí > LibClamAV debug: Displayed 'url' is not url:aquí > LibClamAV debug: Phishcheck: Phishing scan result: Clean > LibClamAV debug: blobDestroy 1 > LibClamAV debug: blobDestroy 1 > LibClamAV debug: messageAddArgument, arg='filename=mixedtextportion' > LibClamAV debug: messageToFileblob > LibClamAV debug: blobCreate > LibClamAV debug: messageExport: numberOfEncTypes == 1 > LibClamAV debug: messageExport: enctype 0 is 1 > LibClamAV debug: messageFindArgument: compare 8 bytes of filename with > name=attachment > LibClamAV debug: messageFindArgument: compare 8 bytes of filename with > filename=mixedtextportion > LibClamAV debug: blobSetFilename: mixedtextportion > LibClamAV debug: fileblobSetFilename: > mkstemp(/tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionXXXXXX) > LibClamAV debug: > Creating /tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionTu1XhX > LibClamAV debug: Exported 2895 bytes using enctype 1 > LibClamAV > debug: /tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionTu1XhX > is infected > LibClamAV debug: > fileblobDestructiveDestroy: > /tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionTu1XhX > LibClamAV debug: The message has 0 parts > LibClamAV debug: cli_mbox returning 1 > /tmp/email.file: Email.Phishing.RB-2924 FOUND > LibClamAV debug: Cleaning up phishcheck > LibClamAV debug: Freeing phishcheck struct > LibClamAV debug: Phishcheck cleaned up > > > It's clean?? but command return 'Email.Phishing.RB-2924 FOUND', why? > > > and I added this value to daily.wdb: > M:http://ad.doubleclick.net/:aquí<http://ad.doubleclick.net/:aqu%C3%AD> > > > What's wrong?
daily.wdb is for Phishing.Heuristics.* detection. Email.Phishing.* detection is done via signatures from the database. You need to add an entry to daily.fp to avoid the false positive. Or submit the sample as a false positive. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
