Al Varnell wrote: > You have certainly found the correct pair as your message is still showing up > immediately as infected here.
... and here, too; I wondered why my message hadn't shown up in my clamav mail folder... > Heuristics detections are accomplished by the engine, not a specific > signature. *nod* > The line you found in daily.hdb identifies this as one of several hundred > mostly financial institutions that are analyzed by the heuristics engine for > hyperlinks that do not route the user to a web site the same or a > specifically associated URL. Ah, OK. > I’m not sure why a --debug run didn’t show this. You should see the words > "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, as > I always do when I run across such FP’s. *nod* On re-re-rechecking several times (clamscan --debug <messagefile |grep -i phish), I noticed this: Phishcheck:Checking url http://www.w3.org/TR/html4/DTD/strict.dtd";>-> (which I'm pretty sure wasn't showing the first five or six times I tried) but no entry for the tdcanadatrust.com link. Checking again now, that link is found too. I'm not sure what changed, other than the fact that the message file is now in a subdirectory. O_o In any case, I've confirmed the FP link and added a daily.wdb: X:http\://ems1.aeroplan.com:tdcanadatrust.com -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
