joe a wrote:
To semi-hijack, I was attempting to deal with my own occasional false
positive by using this thread as a clue.
Attempting to follow the docs, I hit a wall here:
"To help you identify what triggered a heuristic phishing alert,
clamscan or clamd will print a message indicating the "Display URL" and
"Real URL" involved in a heuristic phishing alert. "
I did not find such an entry in any of the "usual suspect" logs, so
wondering if that means I must somehow submit the offending email for a
manual scan, or if I simply do not know where to look?
It's only in the debug output. While I was still chasing this I just
ran clamscan --debug after the fact on the FP sample to extract the
relevant URL bits, although it was still sometimes a bit of effort to
then find the right .wdb entry to actually whitelist the match when scanned.
Some time ago I gave up on using this test in a hard pass/fail context,
largely because of exactly the class of problem reported in this thread.
Instead I have it enabled in a clamd instance that's called by a
filter processing component with enough smarts to balance a hit on this
test with other criteria.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
