micah anderson wrote:
I keep having people complaining about False Positives due to Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that the reason this is happening is because of Outlook's "advanced threat protection" which wraps urls in a "safelink" url,
I really didn't want to do this, but I followed https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf and I added the following to local.wdb (is this still the right place?!) to "whitelist" safebrowsing: X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17 but people are still complaining. Did I do this wrong? Looking again at the documentation, it appears that it should be '17-' instead of '17', but I'm not sure that matters.
I don't know if the whitelist setup will let you blanket-whitelist ALL EVARYTHING like that. Grab a sample message, and run clamscan -D on it to find the link it's choking on. Tweak the regex in between calls - eg, start with a specific match on the example, and gradually make it more general. IME there are undocumented limits on what really constitutes a "valid" entry (both in syntax and in results), so the only way to get it right is to test and adjust until it works as expected. :/
Is there some better way to deal with this? I do not want to turn off phishing protection in general.
I'd suggest moving up a layer, to whatever is calling Clam, and handle that result differently (ie, add a header to pass on to the spam filter rather than treat it as an absolute black/white result on its own).
-kgd _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml