Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP
Alex wrote: > Hi, > > I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain > for capitaloneemail.com, but can't figure out how to use sigtool to > determine which actual domain it thinks was spoofed. > > # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | > sigtool --decode-sigs > # > > Why doesn't it display the signature with the above command? > > How do I scan the quarantined message to find out exactly what > triggered this false positive? The Heuristics* "signatures" aren't fixed signatures in the signature files. This particular one represents link where the visible and link-target domain are "too different", but only for high-risk domains (eg banks). I'm not sure where the list of domains to consider is kept. To whitelist a specific match hit by this signature chase down the mismatched domains as per Steve's message, and add a line to local.wdb, eg: X:\.rbc\.com:www\.rbcroyalbank\.com or M:trk.cp20.com:bmo.com I have yet to figure out why I have to use an X: line for some matches, and an M: line for others; I use one or the other depending on which one I can get to actually work on a case-by-base basis. -kgd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP
On Tue, Aug 16, 2016 at 12:35 PM, Steve basford wrote: > Try clamscan --debug 2>debug.log and I think that should show you a domain. Ah yes, thanks. It appears it's marked it because the URLs were too different: LibClamAV debug: Phishing: looking up in whitelist: .click.capitaloneemail.com:.mi.capitalone.com; host-only:1 LibClamAV debug: Looking up in regex_list: click.capitaloneemail.com:mi.capitalone.com/ LibClamAV debug: Lookup result: not in regex list LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different I'm not sure I'm ready to whitelist the rule just yet, however. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP
Try clamscan --debug 2>debug.log and I think that should show you a domain. Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity On 16 August 2016 17:32:31 Alex wrote: Hi, I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain for capitaloneemail.com, but can't figure out how to use sigtool to determine which actual domain it thinks was spoofed. # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | sigtool --decode-sigs # Why doesn't it display the signature with the above command? How do I scan the quarantined message to find out exactly what triggered this false positive? Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP
Am 16.08.2016 um 18:31 schrieb Alex: I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain for capitaloneemail.com, but can't figure out how to use sigtool to determine which actual domain it thinks was spoofed. # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | sigtool --decode-sigs # Why doesn't it display the signature with the above command? How do I scan the quarantined message to find out exactly what triggered this false positive? i disabled them entirely because i still need to face anything else than false positives from that rules signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP
Hi, I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain for capitaloneemail.com, but can't figure out how to use sigtool to determine which actual domain it thinks was spoofed. # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | sigtool --decode-sigs # Why doesn't it display the signature with the above command? How do I scan the quarantined message to find out exactly what triggered this false positive? Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Missing "daily" e-mails
You probably already realize that we didn’t receive fifteen messages from the clamav-virusdb list for four days (daily - 22070 through daily - 22084) and they are not in the archives. -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Sigtool parsing issues
Hello Jack, > Great, thanks. Here is the output with ‘—debug’: > > LibClamAV debug: Initialized 0.99.2 engine > LibClamAV debug: in cli_ole2_extract() > LibClamAV debug: OLE2 magic failed! > LibClamAV debug: Cleaning up phishcheck > LibClamAV debug: Phishcheck cleaned up > > To note, the document opens fine in Microsoft Word, and oletools has no > issues dumping out the macros. Maybe related to https://github.com/vrtadmin/clamav-devel/commit/dbd2653d835b5446aed780112d376f5b2596519f See this in the next version of Clamav. -- Best regards, Arnaud Jacques SecuriteInfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
