> On Tuesday, March 23, 2021 at 5:02 PM, G.W. Haywood wrote: >> On Tue, 23 Mar 2021, Joe Acquisto-j4 wrote: >> >> > In log find (snipped) >> >> Full marks for reading your logs. :) >> >> > ". . .infected by Heuristics.OLE2.ContainsMacros.VBA" >> > >> > and >> > >> > ". . .infected by Heuristics.Phishing.Email.SpoofedDomain" >> > >> > I love the first one but loathe the second one. >> >> That's your prerogative, of course, but both are generic threat descriptions >> which are applied to a number of potential threats. >> I don't see why anyone would like one and dislike the other, but then I > don't >> get sentimental about the descriptions of signatures. >> >> > Is there some secret sauce to allow discriminating between them? >> >> I don't think I understand the question.
I was not clear. Mark guessed correctly. See below >> There are two distinct names for two different classes of threat. >> What exactly are you looking for that isn't provided by the names? >> Do you mean distinguishing between individual examples of the type of >> threat? Perhaps you should be looking at your log verbosity, or perhaps >> something which analyzes suspect data more thoroughly. Are these logs the >> result of scanning filesystems, scanning mail, or...? > > Although these two (and possibly other Heuristics) are indeed reported > uniquely, in real cases, I get absolute false positives on the SpoofedDomain The "spoofed domain" is the one I would rather allow to pass through without comment or quarantine as some are "legitmate". But the docs did warn about "false posititves". Although pedantic types (who me?) might argue it is not a "false positive" if it met the testing criteria. > for "legitimate" messages while I'd always want to stop the ContainsMacros > case. By "legitimate" here, I'm not saying that whatever heuristic is being > > interpreted incorrectly, but merely that real email from legitimate senders > is being sent to users who expect to get that specific email. > > Disabling all heuristics avoids all of these detections... That settles that, apparently. All or nothing. joe a, >> Mark > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
