Hello.
I know this looks like a nightmare or lack of sleep (or even something
else), but I have to write it. Sorry ;-)
I'm observing false positives, but unfortunately - they are not caused by
some specific input files (mails). It is something non-deterministic.
For example, I send some file by email 20 times and clamav
detects a virus in only two of them.
The probability of detecting a virus in a clean file rises with the
overall rate of detected viruses (when some virus is popular and detected
often, the probability of detecting it in the clean file is higher) AND
with a size of clean file (FPs occur more often in bigger files).
I have first observed this with SaneSecurity SCAM database - when some pdf
spam was very popular, I got that spam detected in clean files quite often
(lets say, at 10% rate).
I have disabled that database and the problem was almost gone. Almost.
What is interesting - scanning the given email or file with clamscan or
clamdscan does not show the problem - it is always clean.
My setup is sendmail with clamav-milter on 4 machines (freebsd 6.2 and 4.9,
problem seen on 6.2) and remote clamd on 2 other (freebsd 6.2).
clamav-0.91.2 (from ports). Actually, problem has been seen about two months
ago, so version could be a bit lower (up to date in those days).
My first guess is that during scanning of a clean file some signal from another
thread/server scanning the real virus in the same time is somehow received
and misinterpreted as a virus in a clean file.
Any ideas how to track this down?
Jacek
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
