As a heuristic, the generation of this detection is a result of behavioral detection by the ClamAV engine and not by any particular database signature. Unfortunately, this effectively means that sigtool is unable to decode the signature as there is no signature associated with this detection.
Luckily, it appears you can see the domain that causes the heuristic detection by running clamscan on the email with the "--debug" flag. The debug flag causes clamscan to log the domain checks to stderr and most likely terminates the scan once it detects the heuristic if "--heuristic-scan-precedence=yes" is set as well. Additionally, you can provide the false positive to http://www.clamav.net/report/report-fp.html. -Kevin On Tue, Aug 25, 2015 at 6:36 AM, Alex <mysqlstud...@gmail.com> wrote: > Hi, > > I have an email with an apparent false-positive spoofed domain. How > can I determine what domain it is that clamscan thinks is spoofed and > correct it? > > I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to > decode a false-positive, but no signature or other details are given. > > Thanks, > Alex > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml