On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote: > On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: > > > In log find (snipped) > > Full marks for reading your logs. :) > > > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" > > > > and > > > > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" > > > > I love the first one but loathe the second one. > > That's your prerogative, of course, but both are generic threat descriptions > which are applied to a number of potential threats. > I don't see why anyone would like one and dislike the other, but then I don't > get sentimental about the descriptions of signatures. > > > Is there some secret sauce to allow discriminating between them? > > I don't think I understand the question. > > There are two distinct names for two different classes of threat. > What exactly are you looking for that isn't provided by the names? > Do you mean distinguishing between individual examples of the type of > threat? Perhaps you should be looking at your log verbosity, or perhaps > something which analyzes suspect data more thoroughly. Are these logs the > result of scanning filesystems, scanning mail, or...?
Although these two (and possibly other Heuristics) are indeed reported uniquely, in real cases, I get absolute false positives on the SpoofedDomain for "legitimate" messages while I'd always want to stop the ContainsMacros case. By "legitimate" here, I'm not saying that whatever heuristic is being interpreted incorrectly, but merely that real email from legitimate senders is being sent to users who expect to get that specific email. Disabling all heuristics avoids all of these detections... - Mark _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml