Re: [clamav-users] What was detected?
On 2/27/2023 4:49 PM, Andrew C Aitchison via clamav-users wrote: On Mon, 27 Feb 2023, joe a wrote: 66 On 2/27/2023 4:24 PM, Paul Netpresto wrote: I attempted that just now. Ran clamscan --debug -f some-email.eml After it cranks up and apparently beings actually scanning the email, starts cranking out errors/warnings like: Return-path: : No such file or directory WARNING: Return-path: : Can't access file Seems to be t This particular email was previously scanned and found to be possibly infected with "Heuristics.Phishing.Email.SpoofedDomain" and am attempting to determine the actual objectionable domain. Clearly I am doing something wrong. Drop the '-f' - it says read the filenames from some-file.eml Try clamscan some-email.eml Thanks folks, that did it for me. I guess it helps to slow down and read what -f actually means Found the link and added it to my ignore file. And it actually does ignore the"iffy-spoofy" domain. Maybe I will also save notes this time. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] What was detected?
On Mon, 27 Feb 2023, joe a wrote: 66 On 2/27/2023 4:24 PM, Paul Netpresto wrote: I attempted that just now. Ran clamscan --debug -f some-email.eml After it cranks up and apparently beings actually scanning the email, starts cranking out errors/warnings like: Return-path: : No such file or directory WARNING: Return-path: : Can't access file Seems to be t This particular email was previously scanned and found to be possibly infected with "Heuristics.Phishing.Email.SpoofedDomain" and am attempting to determine the actual objectionable domain. Clearly I am doing something wrong. Drop the '-f' - it says read the filenames from some-file.eml -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] What was detected?
On 27/02/2023 21:33, joe a wrote: On 2/27/2023 4:24 PM, Paul Netpresto wrote: On 27/02/2023 20:57, joe a wrote: On 2/27/2023 3:52 PM, joe a wrote: On 2/27/2023 3:47 PM, joe a wrote: Got an email marked as infected by clamav. I cannot determine what was detected. A long time ago I asked here and someone described how to scan an individual email file, log the results and scan the log for what was detected. Or maybe clued me in on which log I was not searching properly. Did not find that conversation it in the email archives. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat Well never mind that part, it is shown clearly in /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain". What I think I conflated that with the means to determine the details so I can add that to a .ign* file. Something to do with debug mode I think. Or, determine why this was detected in a valid email from a known and utilized credit card service. Or is it simpler to "white list" this sender and move on? If you have sufficient free memory use clamscan to scan the email in question. It should be kind enough to highlight the reason why Heuristics.Phishing.Email.SpoofedDomain was triggered. I attempted that just now. Ran clamscan --debug -f some-email.eml After it cranks up and apparently beings actually scanning the email, starts cranking out errors/warnings like: Return-path: : No such file or directory WARNING: Return-path: : Can't access file Seems to be t This particular email was previously scanned and found to be possibly infected with "Heuristics.Phishing.Email.SpoofedDomain" and am attempting to determine the actual objectionable domain. Clearly I am doing something wrong. Try clamscan some-email.eml ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] What was detected?
On 2/27/2023 4:24 PM, Paul Netpresto wrote: On 27/02/2023 20:57, joe a wrote: On 2/27/2023 3:52 PM, joe a wrote: On 2/27/2023 3:47 PM, joe a wrote: Got an email marked as infected by clamav. I cannot determine what was detected. A long time ago I asked here and someone described how to scan an individual email file, log the results and scan the log for what was detected. Or maybe clued me in on which log I was not searching properly. Did not find that conversation it in the email archives. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat Well never mind that part, it is shown clearly in /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain". What I think I conflated that with the means to determine the details so I can add that to a .ign* file. Something to do with debug mode I think. Or, determine why this was detected in a valid email from a known and utilized credit card service. Or is it simpler to "white list" this sender and move on? If you have sufficient free memory use clamscan to scan the email in question. It should be kind enough to highlight the reason why Heuristics.Phishing.Email.SpoofedDomain was triggered. I attempted that just now. Ran clamscan --debug -f some-email.eml After it cranks up and apparently beings actually scanning the email, starts cranking out errors/warnings like: Return-path: : No such file or directory WARNING: Return-path: : Can't access file Seems to be t This particular email was previously scanned and found to be possibly infected with "Heuristics.Phishing.Email.SpoofedDomain" and am attempting to determine the actual objectionable domain. Clearly I am doing something wrong. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] What was detected?
On 27/02/2023 20:57, joe a wrote: On 2/27/2023 3:52 PM, joe a wrote: On 2/27/2023 3:47 PM, joe a wrote: Got an email marked as infected by clamav. I cannot determine what was detected. A long time ago I asked here and someone described how to scan an individual email file, log the results and scan the log for what was detected. Or maybe clued me in on which log I was not searching properly. Did not find that conversation it in the email archives. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat Well never mind that part, it is shown clearly in /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain". What I think I conflated that with the means to determine the details so I can add that to a .ign* file. Something to do with debug mode I think. Or, determine why this was detected in a valid email from a known and utilized credit card service. Or is it simpler to "white list" this sender and move on? If you have sufficient free memory use clamscan to scan the email in question. It should be kind enough to highlight the reason why Heuristics.Phishing.Email.SpoofedDomain was triggered. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] What was detected?
On 2/27/2023 3:52 PM, joe a wrote: On 2/27/2023 3:47 PM, joe a wrote: Got an email marked as infected by clamav. I cannot determine what was detected. A long time ago I asked here and someone described how to scan an individual email file, log the results and scan the log for what was detected. Or maybe clued me in on which log I was not searching properly. Did not find that conversation it in the email archives. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat Well never mind that part, it is shown clearly in /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain". What I think I conflated that with the means to determine the details so I can add that to a .ign* file. Something to do with debug mode I think. Or, determine why this was detected in a valid email from a known and utilized credit card service. Or is it simpler to "white list" this sender and move on? ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] What was detected?
On 2/27/2023 3:47 PM, joe a wrote: Got an email marked as infected by clamav. I cannot determine what was detected. A long time ago I asked here and someone described how to scan an individual email file, log the results and scan the log for what was detected. Or maybe clued me in on which log I was not searching properly. Did not find that conversation it in the email archives. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat Well never mind that part, it is shown clearly in /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain". What I think I conflated that with the means to determine the details so I can add that to a .ign* file. Something to do with debug mode I think. ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat