Hi, I keep having people complaining about False Positives due to Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that the reason this is happening is because of Outlook's "advanced threat protection" which wraps urls in a "safelink" url, all the details of this monstrosity are here:
https://blog.tylerbickford.com/2016/06/16/microsoft-advanced-threat-protection-is-a-disaster/ Leave it to microsoft to implement something so ass-backwards that it actually does the opposite thing they are trying to achieve and instead breaks things in an attempt to fix them. Safelinks generates URLs that are 100% bonafide red-alert, kalxon-sounding phishing. Cut some heads off of chickens, because its time to run in circles! I really didn't want to do this, but I followed https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf and I added the following to local.wdb (is this still the right place?!) to "whitelist" safebrowsing: X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17 but people are still complaining. Did I do this wrong? Looking again at the documentation, it appears that it should be '17-' instead of '17', but I'm not sure that matters. Is there some better way to deal with this? I do not want to turn off phishing protection in general. Thanks for any help you can provide, micah _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
