[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positives

2017-06-09 Thread Alex 
Hi,

I've noticed a large amount of phishing signature false-positives, and
just want to make sure I understand correctly how they work.

I have HeuristicScanPrecedence disabled and all the phishing settings
left as default.

I'm assuming this rule is known to produce a large amount of false-positives?

It catches legitimate mail from priceline, delta, citibank, homedepot,
and wellsfargo. At the least, I would expect some kind of note in the
config file indicating this?

I've successfully whitelisted quite a few of them, but is this the
best approach? Maybe I'm missing more of the main purpose of this rule
because it does seem so prone to false-positives.

Could I also ask someone to review my whitelist entries? Perhaps they
can be optimized or done more succinctly? The manual refers to a
version number (17-). Is this necessary?

X:http\://e\.delta\.com:www\.americanexpress\.com
X:http\://l\.info4\.citi\.com:citibank\.com
X:http\://l\.info4\.citi\.com:citi\.com
X:http\://l\.info4\.citi\.com:http\://i\..+\.citi\.com
X:http\://l\.info4\.citi\.com:http\://namwpm\.eccmp\.com
X:http\://l\.info4\.citi\.com:http\://snamwpm\.eccmp\.com
X:http\://l\.info4\.citi\.com:http\://www\.movable-ink-.+\.com
X:http\://l\.info4\.citi\.com:thankyou\.com
X:http\://l\.info6\.accountonline\.com:bestbuy\.accountonline\.com
X:http\://l\.info6\.accountonline\.com:citibank\.com
X:http\://l\.info6\.accountonline\.com:homedepot\.com
X:http\://l\.info6\.accountonline\.com:http\://namwpm\.eccmp\.com
X:http\://links\.e\.mycustomemail\.com:wellsfargo\.com
X:http\://links\.mkt3772\.com:https\://cdn2\.bondbrandloyalty\.com
X:http\://links\.mkt3772\.com:https\://equitybar\.scene\.ca
X:http\://links\.mkt3772\.com:scene\.ca
X:http\://links\.mkt3772\.com:scotiabank\.com
X:\.links\.mkt3772\.com:\.scotiabank\.com
X:http\://mercedes-benz\.r\.delivery\.net:amextravel\.com
X:http\://mercedes-benz\.r\.delivery\.net:http\://sarankco-preview\.com
X:http\://mercedes-benz\.r\.delivery\.net:membershiprewards\.com
X:http\://mercedes-benz\.r\.delivery\.net:www\.americanexpress\.com
X:http\://mercedes-benz\.r\.delivery\.net:www\.membershiprewards\.com
X:https\://epl\.paypal-communication\.com:https\://pp\.images\.harmony\.epsilon\.com
X:https\://epl\.paypal-communication\.com:www\.paypal\.com
X:https\://t\.co:amazon\.de
X:https\://twitter\.com:https\://ea\.twimg\.com
X:https\://twitter\.com:https\://pbs\.twimg\.com
X:https\://usa\.visa\.com:http\://images\.globalclient\.visa\.com
X:.+arizonafederal\.org:arizonafederal\.org
X:.+\.facebook\.com:https\://www\.arizonafederal\.org
X:http\://www\.wiredbusinessconference\.com:http\://images\.globalclient\.visa\.com
X:\.l\.info4\.citi\.com:\.citibank\.com
X:\.l\.info6\.accountonline\.com:\.citibank\.com
X:\.links\.e\.mycustomemail\.com:\.wellsfargo\.com
X:\.mercedes-benz\.r\.delivery\.net:\.www\.americanexpress\.com
X:\.t\.co:\.amazon\.de
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Main CVD and Main Cdiff have been published

2017-06-09 Thread Reindl Harald 



Am 09.06.2017 um 06:33 schrieb Dennis Peterson:
The main.cld is equivalent to main.cvd and the date is correct. The 
difference is one is compressed, the other not.


and why in general you get one time .cld and one time .cvd which happens 
often for safebrowsing and then when you distribute the updates based on 
hardlinks to feed different clamd instances with different signatures 
clamav complains about multiple databases



On 6/8/17 9:30 PM, mlnl wrote:

Hi,


should this be correct?

-rw-r--r--.  1 clam clam654336 Jun  7 03:18 bytecode.cld
-rw-r--r--.  1 clam clam 123921920 Jun  9 03:26 daily.cld
-rw-r--r--.  1 clam clam 307499008 Jun  8 03:18 main.cld

ls -la *.cld
-rw-r--r-- 1 clamav clamav654336 Jun  7 06:06 bytecode.cld
-rw-r--r-- 1 clamav clamav 123921920 Jun  9 05:46 daily.cld
-rw-r--r-- 1 clamav clamav 307499008 Jun  8 07:16 main.cld
-rw-r--r-- 1 clamav clamav 120095744 Jun  9 05:47 safebrowsing.cld


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml