On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote:
Yea for now I just created the line as peer the doc (
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
<https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format> )
and it’s working.
For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list »
bit an « allow list of real URL and display URL that you want to allow.
echo "M:can01.safelinks.protection.outlook.com
<http://can01.safelinks.protection.outlook.com>:www.desjardins.com
<http://www.desjardins.com>" >> /var/lib/clamav/local.wdb
systemctl restart clamd
To semi-hijack, I was attempting to deal with my own occasional false
positive by using this thread as a clue.
Attempting to follow the docs, I hit a wall here:
"To help you identify what triggered a heuristic phishing alert,
clamscan or clamd will print a message indicating the "Display URL" and
"Real URL" involved in a heuristic phishing alert. "
I did not find such an entry in any of the "usual suspect" logs, so
wondering if that means I must somehow submit the offending email for a
manual scan, or if I simply do not know where to look?
Thanks for any assistance.
joe a.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
