You can create allow-list rules for this sort of phishing heuristic alert using WDB signatures:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format Phishing Signatures - ClamAV Documentation<
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format>
The names of the constants are self-explanatory. These constants are defined in libclamav/phishcheck.h, you can check there for the latest flags.. There is a default set of flags that are enabled, these are currently:
docs.clamav.net
?
There are two types of WDB signatures, "X" and "M". Here are a couple extra examples, since the documentation is a bit iffy:
X:.+\.usbank-email\.com([/?].*)?:.+\.usbank\.com([/?].*)?
X:.+\.ebay\.(ca|com)([/?].*)?:ebay\.caorebay\.com([/?].*)?
M:www.postfinance.info:www.postfinance.ch
M:www.deliverymail.com:media.monster.com
If you want to see more, create an empty directory and open terminal in the directory. Then run:
sigtool --unpack /var/lib/clamav/daily.cld?
(or whatever path to your daily CVD/CLD file).
It will drop a bunch of signature files in your current directory. Open daily.wdb? and you'll see a much larger list. Some are more complicated because they use various country codes in the domains, others are less so.
If you craft a signature and would like Talos to distribute in the official databases, you can upload it to
https://www.clamav.net/reports/signature The web-form does get a surprising amount of spam though, so it may get looked at faster if you are interested in joining our community-sigs<mailto:community-sigs@lists.clamav.net> mailing list and send it there. See:
https://lists.clamav.net/mailman/listinfo/community-sigs For anyone interested in submitting signatures, we manually review signature submissions. Sometimes signatures cannot be accepted or need to be revised because they are FP-prone. We will let you know when changes to the signatures are required.
Best regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Maarten Broekman via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, March 17, 2022 10:26 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Maarten Broekman <maarten.broekman@gmail.com>
Subject: Re: [clamav-users] Amazon/SpoofedDomain FP
That's indicating that there is a link in the email that's displaying "www.americanexpress.com<
http://www.americanexpress.com>" but is actually going to "www.amazonbusiness.com<
http://www.amazonbusiness.com>". It's hard to help without seeing the original email code.
On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Hi,
The link description is a URL and apparently doesn't match the link
itself, resulting in email from Amazon Business being marked as
malicious. Do I just add this to some kind of allow/bypass list?
How do I go about doing that?
$ clamscan -v amazon-fp.eml
Scanning /home/alex/quarantine/amazon-fp.eml
LibClamAV info: Suspicious link found!
LibClamAV info: Real URL:
https://www.amazonbusiness.com LibClamAV info: Display URL: www.americanexpress.com<
http://www.americanexpress.com>
/root/quarantine/amazon-fp.eml: Heuristics.Phishing.Email.SpoofedDomain FOUND
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml