Alex wrote: > Hi, > > I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain > for capitaloneemail.com, but can't figure out how to use sigtool to > determine which actual domain it thinks was spoofed. > > # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | > sigtool --decode-sigs > # > > Why doesn't it display the signature with the above command? > > How do I scan the quarantined message to find out exactly what > triggered this false positive?
The Heuristics* "signatures" aren't fixed signatures in the signature files. This particular one represents link where the visible and link-target domain are "too different", but only for high-risk domains (eg banks). I'm not sure where the list of domains to consider is kept. To whitelist a specific match hit by this signature chase down the mismatched domains as per Steve's message, and add a line to local.wdb, eg: X:\.rbc\.com:www\.rbcroyalbank\.com or M:trk.cp20.com:bmo.com I have yet to figure out why I have to use an X: line for some matches, and an M: line for others; I use one or the other depending on which one I can get to actually work on a case-by-base basis. -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
