clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] Heuristics.Safebrowsing.Suspect

Re: [clamav-users] Heuristics.Safebrowsing.Suspected false-positive help

From: Al Varnell <alvarnell_at_nospam>
Date: Wed Jan 22 2014 - 17:17:29 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>

On Jan 22, 2014, at 7:25 AM, Alex <mysqlstudent@gmail.com> wrote:

> On Tue, Jan 21, 2014 at 2:15 PM, Charles Swiger <cswiger@mac.com> wrote:
>> On Jan 21, 2014, at 10:40 AM, Alex <mysqlstudent@gmail.com> wrote:
>>> I received a number of messages on the 17th that were tagged incorrectly with:
>>>
>>> X-Amavis-Alert: INFECTED, message contains virus:
>>> Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net
>>>
>>> I tried to figure out what the pattern was, but apparently it no longer exists?
>>
>> There is no specific pattern responsible for the "Heuristics" type.
>>
>> Basically, it generally indicates that the email contains URLs which take one to a
>> different site than what is being displayed to the user. The "safebrowsing" string
>> also suggests that one of the domains in question was listed on Google's blacklist
>> of sites containing suspected malware.
>
> So I can assume that since clamscan no longer finds a virus, that the
> string that triggered the false-positive is no longer part of the
> blacklist?

There is no “string”. The heuristics process looks for suspicious formatting, usually involving an e-mail from a financial institution, but since this apparently comes from the Google SafeBrowsing folks, I guess you would have to find a way to ask them.

-Al-
-- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml