Re: [clamav-users] What was detected?

Mon, 27 Feb 2023 13:39:14 -0800 


On 27/02/2023 21:33, joe a wrote:

On 2/27/2023 4:24 PM, Paul Netpresto wrote:


On 27/02/2023 20:57, joe a wrote:

On 2/27/2023 3:52 PM, joe a wrote:

On 2/27/2023 3:47 PM, joe a wrote:

Got an email marked as infected by clamav.  I cannot determine 
what was detected.



A long time ago I asked here and someone described how to scan an 
individual email file, log the results and scan the log for what 
was detected.   Or maybe clued me in on which log I was not 
searching properly.


Did not find that conversation it in the email archives.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat



Well never mind that part, it is shown clearly in 
/var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain".



What I think I conflated that with the means to determine the 
details so I can add that to a .ign* file.   Something to do with 
debug mode I think.






Or, determine why this was detected in a valid email from a known 
and utilized credit card service.   Or is it simpler to "white list" 
this sender and move on?




If you have sufficient free memory  use clamscan to scan the email in 
question. It should be kind enough to highlight the reason why 
Heuristics.Phishing.Email.SpoofedDomain was triggered.





I attempted that just now.  Ran clamscan --debug -f some-email.eml


After it cranks up and apparently beings actually scanning the email, 
starts cranking out errors/warnings like:


Return-path: <s...@body.com>: No such file or directory
WARNING: Return-path: <s...@body.com>: Can't access file
Seems to be t

This particular email was previously scanned and found to be possibly 
infected with "Heuristics.Phishing.Email.SpoofedDomain" and am 
attempting to determine the actual objectionable domain.


Clearly I am doing something wrong.


Try clamscan  some-email.eml


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat






















					Reply via email to