Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

"Heuristic.Phishing.email.SpoofedDomain" Virus

I am still looking for an answer as to what function this Malware performs. Clamxav virus software downloaded from the App store identified several "Apple mails" and identified it as "Heuristic.Phishing.email.SpoofedDomain". I am unable to find the definition from Clamxav or searches through web serches.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 30, 2012 5:01 PM

Reply
35 replies

Apr 30, 2012 6:34 PM in response to macfrombrampton

I put that message in a google search, and it found 1,950 entries. ClamXav is identifying email that appears to be phishing emails with a spoofed address (looks legit but on careful examination it may not be). You can delete the emails if the ClamXav message bothers you or just leave them. As long as you don't respond to them, there's no damage being done. If the email is a legitimate Apple email, then something in the email is generating a false positive. When I get those, I delete the offending email ... done.

Apr 30, 2012 6:34 PM in response to macfrombrampton

ClamXav is simply confused (as it often is) doing it's pattern matching and heuristics looking at date that just happens to match those patterms and heuristics. The fact that it is in mail is a giveaway that ClamXav is too stupid to know what it is looking at. Don't let ClamXav move anything it finds in mail our you could corrupt the mail data bases.

May 3, 2012 5:29 AM in response to MadMacs0

Mad, I apologize for hijacking this thread, but I am completely stuck and maybe you can help with this. I tried registering for the ClamX forum, but never received my activation e-mail. I wrote the following message, here excerpted, to Mark Allan twice, but haven't received a reply. I realize he can't reply to every e-mail he receives, but I would have thought he'd make an exception for this. Maybe I made a mistake by choosing the category "other."


This is the second time I am writing, as I have had no reply to my first message, sent on 4/27.


I registered for the ClamXav support forum last Friday, 4/27, but never received my activation email and am unable to log in. I have no blocking or rules set up either on my email server or locally that would have prevented this email getting through. I am blocked from re-registering using the same email address.


After I registered, I saw that my user name "brillo" appeared as "newest member," so that part, at least, went through.


I am completely stuck.


One other ClamX related question, if I may.


The ClamAV scanning engine installer I'm seeing in receipts is version 0.95.3 from 4/25/2010. I would have thought updating ClamXav would have brought along the latest ClamAV engine, but maybe not. Do I need to separately download and install the current one, which is 0.97.4? And if I do, will it properly overwrite the older one?


I'm also seeing this ClamAV folder with a creation date of 3/17/2012. Does that mean it was updated?


/usr/local/clamXav/share/clamav



Thanks


<Edited by Host>

May 3, 2012 10:45 AM in response to WZZZ

WZZZ wrote:


Mad, I apologize for hijacking this thread, but I am completely stuck and maybe you can help with this. I tried registering for the ClamX forum, but never received my activation e-mail.

Mark just returned from Holiday (a European term) so he's running a bit behind, but I would expect him to get back to you when he has a moment. I've not heard of this problem before, but I'm not sure how I would. I do know that I had a similar problem getting an activation e-mail for over a week at another site before it finally worked.

The ClamAV scanning engine installer I'm seeing in receipts is version 0.95.3 from 4/25/2010. I would have thought updating ClamXav would have brought along the latest ClamAV engine, but maybe not. Do I need to separately download and install the current one, which is 0.97.4? And if I do, will it properly overwrite the older one?


I'm also seeing this ClamAV folder with a creation date of 3/17/2012. Does that mean it was updated?


/usr/local/clamXav/share/clamav

That's very strange. I've never paid attention to that but when I look at /Library/Receipts/clamavEngineInstaller104.pkg I see v0.97.4 dated 3/30/12. The 0.95.3 version came with ClamXav 2.0.4 & 2.0.5 back in Nov/Dec 2009.


To find out what version is actually installed try this Terminal command:


/usr/local/clamXav/bin/clamscan -V


You didn't mention whether you are using the AppStore or the website version, which store the engine in different places. If it's the AppStore version then you should probably remove any older scan engines that remain on your hard drive. Use the "ClamAV Engine REMOVER" script found on any ClamXav_2.x.x.dmg file you downloaded.


If you are using the web site version and the above command shows an older scan engine, use the same script to remove it (make sure both ClamXav and Sentry are not running), then launch ClamXav and it should offer to install the newer engine for you.

May 3, 2012 12:07 PM in response to WZZZ

One more quick hijack: I completely forgot to ask, will ClamX, by default, scan invisible files for any given selection? I am seeing "Show invisible files" as a separate box to check when you go into Source List, so wondered if it's necessary to check that box and then select all those different invisibles in order for ClamX to scan them? This was the question I wanted to ask when I tried registering for the forum.

"Heuristic.Phishing.email.SpoofedDomain" Virus

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.