Hi,
I keep having people complaining about False Positives due to Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint. I really didn't want to do this, but I added a few entries to the local.wdb to whitelist it: X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17- X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17- That seemed to work for a while, but people are getting hit by it again, it seems like the URLs changed, they used to be: https://urldefense.proofpoint.com/v2/url?u="; the newer ones prepend https://urldefense.com/v3/__ but that regexp should match, unless I'm misreading it. Does someone have a better solution that works for this? thanks! -- micah _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
