Hi,
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
I really didn't want to do this, but I added a few entries to the
local.wdb to whitelist it:
X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-
That seemed to work for a while, but people are getting hit by it again,
it seems like the URLs changed, they used to be:
https://urldefense.proofpoint.com/v2/url?u="
the newer ones prepend
https://urldefense.com/v3/__
but that regexp should match, unless I'm misreading it. Does someone
have a better solution that works for this?
thanks!
--
micah
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
I really didn't want to do this, but I added a few entries to the
local.wdb to whitelist it:
X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-
That seemed to work for a while, but people are getting hit by it again,
it seems like the URLs changed, they used to be:
https://urldefense.proofpoint.com/v2/url?u="
the newer ones prepend
https://urldefense.com/v3/__
but that regexp should match, unless I'm misreading it. Does someone
have a better solution that works for this?
thanks!
--
micah
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml