micah anderson wrote:
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url,

I really didn't want to do this, but I followed
https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf

and I added the following to local.wdb (is this still the right place?!)
to "whitelist" safebrowsing:

X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17

but people are still complaining. Did I do this wrong? Looking again at
the documentation, it appears that it should be '17-' instead of '17',
but I'm not sure that matters.

I don't know if the whitelist setup will let you blanket-whitelist ALL EVARYTHING like that. Grab a sample message, and run clamscan -D on it to find the link it's choking on. Tweak the regex in between calls - eg, start with a specific match on the example, and gradually make it more general. IME there are undocumented limits on what really constitutes a "valid" entry (both in syntax and in results), so the only way to get it right is to test and adjust until it works as expected. :/

Is there some better way to deal with this? I do not want to turn off
phishing protection in general.

I'd suggest moving up a layer, to whatever is calling Clam, and handle that result differently (ie, add a header to pass on to the spam filter rather than treat it as an absolute black/white result on its own).

-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to