Joe Acquisto-j4 wrote:
In log find (snipped)
". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
This is enabled by the AlertOLE2Macros directive in clamd.conf
". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
This is enabled by the PhishingScanURLs directive in clamd.conf.
I love the first one but loathe the second one. Is there some secret sauce to
allow discriminating between them?
Read the man page for clamd.conf. You may have to do some testing in a
sandbox with some sample emails to determine exactly which combination
of these and several apparently related settings you want enabled.
On the systems I maintain, I found that PhishingScanURLs suffered from
too many false positives (albeit mostly on mail from senders that should
really know better - I'm looking at you, major financial institutions),
so I disabled it for hard pass/fail scanning. I set up a secondary
clamd instance with these and a number of other potentially FP-prone
options as well as a collection of variously potentially risky third
party and local signatures, but without the stock signatures. This
second instance is called from SpamAssassin for scoring instead of hard
pass/fail.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml