You can create allow-list rules for this sort of phishing heuristic alert using WDB signatures: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format Phishing Signatures - ClamAV Documentation<https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format> The names of the constants are self-explanatory. These constants are defined in libclamav/phishcheck.h, you can check there for the latest flags.. There is a default set of flags that are enabled, these are currently: docs.clamav.net There are two types of WDB signatures, "X" and "M". Here are a couple extra examples, since the documentation is a bit iffy:
X:.+\.usbank-email\.com([/?].*)?:.+\.usbank\.com([/?].*)? X:.+\.ebay\.(ca|com)([/?].*)?:ebay\.caorebay\.com([/?].*)? M:www.postfinance.info:www.postfinance.ch M:www.deliverymail.com:media.monster.com If you want to see more, create an empty directory and open terminal in the directory. Then run: sigtool --unpack /var/lib/clamav/daily.cld (or whatever path to your daily CVD/CLD file). It will drop a bunch of signature files in your current directory. Open daily.wdb and you'll see a much larger list. Some are more complicated because they use various country codes in the domains, others are less so. If you craft a signature and would like Talos to distribute in the official databases, you can upload it to https://www.clamav.net/reports/signature The web-form does get a surprising amount of spam though, so it may get looked at faster if you are interested in joining our community-sigs<mailto:community-s...@lists.clamav.net> mailing list and send it there. See: https://lists.clamav.net/mailman/listinfo/community-sigs For anyone interested in submitting signatures, we manually review signature submissions. Sometimes signatures cannot be accepted or need to be revised because they are FP-prone. We will let you know when changes to the signatures are required. Best regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Maarten Broekman via clamav-users <clamav-users@lists.clamav.net> Sent: Thursday, March 17, 2022 10:26 AM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Maarten Broekman <maarten.broek...@gmail.com> Subject: Re: [clamav-users] Amazon/SpoofedDomain FP That's indicating that there is a link in the email that's displaying "www.americanexpress.com<http://www.americanexpress.com>" but is actually going to "www.amazonbusiness.com<http://www.amazonbusiness.com>". It's hard to help without seeing the original email code. On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote: Hi, The link description is a URL and apparently doesn't match the link itself, resulting in email from Amazon Business being marked as malicious. Do I just add this to some kind of allow/bypass list? How do I go about doing that? $ clamscan -v amazon-fp.eml Scanning /home/alex/quarantine/amazon-fp.eml LibClamAV info: Suspicious link found! LibClamAV info: Real URL: https://www.amazonbusiness.com LibClamAV info: Display URL: www.americanexpress.com<http://www.americanexpress.com> /root/quarantine/amazon-fp.eml: Heuristics.Phishing.Email.SpoofedDomain FOUND _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
