Hi, On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin <k...@sourcefire.com> wrote: > As a heuristic, the generation of this detection is a result of behavioral > detection by the ClamAV engine and not by any particular database > signature. Unfortunately, this effectively means that sigtool is unable to > decode the signature as there is no signature associated with this > detection. > > Luckily, it appears you can see the domain that causes the heuristic > detection by running clamscan on the email with the "--debug" flag. The > debug flag causes clamscan to log the domain checks to stderr and most > likely terminates the scan once it detects the heuristic if > "--heuristic-scan-precedence=yes" is set as well. > > Additionally, you can provide the false positive to > http://www.clamav.net/report/report-fp.html.
Thanks very much. I've submitted an fp, but it appears to be the result of this: LibClamAV debug: Looking up hash 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for urldefense. proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293) LibClamAV debug: Phishcheck:URL after cleanup: https://urldefense.proofpoint.com->http://www.bankofamerica.com LibClamAV debug: Phishing: looking up in whitelist: https://urldefense.proofpoint.com:http://www.bankofamerica.co m; host-only:0 LibClamAV debug: Phishing: looking up in whitelist: .urldefense.proofpoint.com:.www.bankofamerica.com; host-only:1 LibClamAV debug: Looking up in regex_list: urldefense.proofpoint.com:www.bankofamerica.com/ LibClamAV debug: Lookup result: not in regex list LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain Looks like the proofpoint "secure URL" product has mangled the URL so badly that clamav can't decipher it? In any case, how would I go about whitelisting either the sender and/or the email the next time this happens, so I don't have to wait for the sig team to perform an update? For now, I've whitelisted the whole Heuristics.Phishing.Email.SpoofedDomain rule with an ign2 entry, but I obviously don't want to keep that permanently. I'm using postfix with amavisd-new and spamassassin on fedora. Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml