Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Alex
Hi, > It's not necessary to whitelist the heuristic. If you choose to, you can > whitelist the domain which can be done using a .wdb signature. There is > documentation on how to write an entry in the phishsigs_howto.pdf document. Whitelist the sending domain? Or the offending domain? Or which?

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Alex
Hi, On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger wrote: > On Aug 25, 2015, at 9:41 AM, Alex wrote: >> Thanks very much. I've submitted an fp, but it appears to be the result of >> this: >> >> LibClamAV debug: Looking up hash >> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Kevin Lin
It's not necessary to whitelist the heuristic. If you choose to, you can whitelist the domain which can be done using a .wdb signature. There is documentation on how to write an entry in the phishsigs_howto.pdf document. -Kevin On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger wrote: > On Aug 25,

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Charles Swiger
On Aug 25, 2015, at 9:41 AM, Alex wrote: > Thanks very much. I've submitted an fp, but it appears to be the result of > this: > > LibClamAV debug: Looking up hash > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for > urldefense. > proofpoint.com/ > (26

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Alex
Hi, On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin wrote: > As a heuristic, the generation of this detection is a result of behavioral > detection by the ClamAV engine and not by any particular database > signature. Unfortunately, this effectively means that sigtool is unable to > decode the signatu

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Kevin Lin
As a heuristic, the generation of this detection is a result of behavioral detection by the ClamAV engine and not by any particular database signature. Unfortunately, this effectively means that sigtool is unable to decode the signature as there is no signature associated with this detection. Luck

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Alex
Hi, I have an email with an apparent false-positive spoofed domain. How can I determine what domain it is that clamscan thinks is spoofed and correct it? I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to decode a false-positive, but no signature or other details are given. Than