On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin <firstname.lastname@example.org> wrote: > As a heuristic, the generation of this detection is a result of behavioral
> detection by the ClamAV engine and not by any particular database
> signature. Unfortunately, this effectively means that sigtool is unable to
> decode the signature as there is no signature associated with this
> Luckily, it appears you can see the domain that causes the heuristic
> detection by running clamscan on the email with the "--debug" flag. The
> debug flag causes clamscan to log the domain checks to stderr and most
> likely terminates the scan once it detects the heuristic if
> "--heuristic-scan-precedence=yes" is set as well.
> Additionally, you can provide the false positive to
Thanks very much. I've submitted an fp, but it appears to be the result of this:
LibClamAV debug: Looking up hash
LibClamAV debug: Phishcheck:URL after cleanup: https://urldefense.proofpoint.com-
LibClamAV debug: Phishing: looking up in whitelist: https://urldefense.proofpoint.com:http://www.bankofamerica.co
LibClamAV debug: Phishing: looking up in whitelist:
LibClamAV debug: Looking up in regex_list:
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Looks like the proofpoint "secure URL" product has mangled the URL so
badly that clamav can't decipher it?
In any case, how would I go about whitelisting either the sender
and/or the email the next time this happens, so I don't have to wait
for the sig team to perform an update?
For now, I've whitelisted the whole
Heuristics.Phishing.Email.SpoofedDomain rule with an ign2 entry, but I
obviously don't want to keep that permanently.
I'm using postfix with amavisd-new and spamassassin on fedora.
Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml