[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi, Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change to https://can01.safelinks.protection.outlook.com with a long string. So all the links to desjardins.com

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

For now I have done that and it work ! echo "M:can01.safelinks.protection.outlook.com:www.desjardins.com" >> /var/lib/clamav/local.wdb systemctl restart clamd But it will be great if Desjardins rules are on the up-to-date

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote: Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change ... Don't get me started. ... links to ... hit the Heurist

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working. For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow. echo