Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-15 Thread joe a
On 6/15/2022 4:51 PM, Maarten Broekman via clamav-users wrote: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-15 Thread Maarten Broekman via clamav-users
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create a file "good_urls.wdb" in the same directory as the existing ClamAV database files and put in an appropriate line to handle the domains t

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-15 Thread joe a
On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote: Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-15 Thread G.W. Haywood via clamav-users
Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd wil

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-15 Thread Kris Deugau
joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd will print a message indicating the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-15 Thread joe a
On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote: Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format  ) and it’s working. For Heuristics.Phish

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-13 Thread Mathieu Morier via clamav-users
Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working. For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow. echo

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-13 Thread G.W. Haywood via clamav-users
Hi there, On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote: Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change ... Don't get me started. ... links to ... hit the Heurist

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-13 Thread Mathieu Morier via clamav-users
For now I have done that and it work ! echo "M:can01.safelinks.protection.outlook.com:www.desjardins.com" >> /var/lib/clamav/local.wdb systemctl restart clamd But it will be great if Desjardins rules are on the up-to-date

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

2022-06-13 Thread Mathieu Morier via clamav-users
Hi, Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change to https://can01.safelinks.protection.outlook.com with a long string. So all the links to desjardins.com

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

2022-05-30 Thread G.W. Haywood via clamav-users
Hi there, On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote: desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ... They probably did so

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

2022-05-30 Thread Mathieu Morier via clamav-users
Hi, desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain . It might be something in the signature of their email. But it’s starting to be problemati