OK, I guess that will work, but I don’t think it’s formatted exactly right and as I said before I think an “M:” whitelist record is more appropriate here.
At any rate, I suggest you upload it to <http://www.clamav.net/sendvirus/> using the "Send a false positive report” form so that other users can benefit from this finding. -Al- On Mon, Jul 14, 2014 at 11:37 AM, Kris Deugau wrote: > > Al Varnell wrote: >> You have certainly found the correct pair as your message is still showing >> up immediately as infected here. > > ... and here, too; I wondered why my message hadn't shown up in my > clamav mail folder... > >> Heuristics detections are accomplished by the engine, not a specific >> signature. > > *nod* > >> The line you found in daily.hdb identifies this as one of several hundred >> mostly financial institutions that are analyzed by the heuristics engine for >> hyperlinks that do not route the user to a web site the same or a >> specifically associated URL. > > Ah, OK. > >> I’m not sure why a --debug run didn’t show this. You should see the words >> "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, >> as I always do when I run across such FP’s. > > *nod* On re-re-rechecking several times (clamscan --debug <messagefile > |grep -i phish), I noticed this: > > Phishcheck:Checking url http://www.w3.org/TR/html4/DTD/strict.dtd";>-> > > (which I'm pretty sure wasn't showing the first five or six times I > tried) but no entry for the tdcanadatrust.com link. Checking again now, > that link is found too. I'm not sure what changed, other than the fact > that the message file is now in a subdirectory. O_o > > In any case, I've confirmed the FP link and added a daily.wdb: > > X:http\://ems1.aeroplan.com:tdcanadatrust.com -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
