Hello Edwin, how Can I add the entry to daily.fp or submit the sample? I read clamav man and didn't found any information about that.
Kind regards Jordi 2008/4/17, Török Edwin <[EMAIL PROTECTED]>: > > jordi garcia wrote: > > Hello, > > > > I'm trying to add some values to whitelist following phishsigs_howto.pdf > > doc. It's a simple conf, but it doesn't work. > > > > With 'clamscan --debug email.file' command capture: > > > > LibClamAV debug: Phishcheck:Checking url > > > http://ad.doubleclick.net/clk;77451406;6134080;d?http://www.correo.movistar.es/do/isp/assistant/login?isp=terra > > ->aquí. > > LibClamAV debug: Phishcheck:URL after cleanup: > > http://ad.doubleclick.net/->aquí > > LibClamAV debug: Displayed 'url' is not url:aquí > > LibClamAV debug: Phishcheck: Phishing scan result: Clean > > LibClamAV debug: blobDestroy 1 > > LibClamAV debug: blobDestroy 1 > > LibClamAV debug: messageAddArgument, arg='filename=mixedtextportion' > > LibClamAV debug: messageToFileblob > > LibClamAV debug: blobCreate > > LibClamAV debug: messageExport: numberOfEncTypes == 1 > > LibClamAV debug: messageExport: enctype 0 is 1 > > LibClamAV debug: messageFindArgument: compare 8 bytes of filename with > > name=attachment > > LibClamAV debug: messageFindArgument: compare 8 bytes of filename with > > filename=mixedtextportion > > LibClamAV debug: blobSetFilename: mixedtextportion > > LibClamAV debug: fileblobSetFilename: > > > mkstemp(/tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionXXXXXX) > > LibClamAV debug: > > Creating > /tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionTu1XhX > > LibClamAV debug: Exported 2895 bytes using enctype 1 > > LibClamAV > > debug: > /tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionTu1XhX > > is infected > > LibClamAV debug: > > fileblobDestructiveDestroy: > > /tmp/clamav-a9869b35a7e918d7824ef5c965af32aa/mixedtextportionTu1XhX > > LibClamAV debug: The message has 0 parts > > LibClamAV debug: cli_mbox returning 1 > > /tmp/email.file: Email.Phishing.RB-2924 FOUND > > LibClamAV debug: Cleaning up phishcheck > > LibClamAV debug: Freeing phishcheck struct > > LibClamAV debug: Phishcheck cleaned up > > > > > > It's clean?? but command return 'Email.Phishing.RB-2924 FOUND', why? > > > > > > and I added this value to daily.wdb: > > > M:http://ad.doubleclick.net/:aquí< > http://ad.doubleclick.net/:aqu%C3%AD> > > > > > > What's wrong? > > daily.wdb is for Phishing.Heuristics.* detection. > Email.Phishing.* detection is done via signatures from the database. You > need to add an entry to daily.fp to avoid the false positive. > Or submit the sample as a false positive. > > Best regards, > --Edwin > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
