Jason Haar wrote:
The "submit sample" Web page appears to have a 1M limit on filesizes it
will accept.
I have two false positives that are 2 and 4.5M in size and cannot submit
them. I have even tried unpacking (actually installing) them to find the
file that was at fault - but clamscan cannot discover a virus when it's
unpacked (so it must be some random byte-string match that is triggered
by the CAB file and not by the content) - so cannot make them any
smaller to submit.
I can't judge for you, but I got what I believed a false positive
on a 20M pure text file with a name ending in ".script".
We already had experience that such a file (program generated) could
contain garbage at the end, especially in circumstances as disk full
while processing, or poweroff in the middle. (We even have a program
that repairs the files.)
This time however, clamav categorized it as having Somefool.gen.
Our other scanner (commercial) did not detect anything.
False positive was our first thought.
But further investigation (triggered by the fact that the website
has a limit of 1M on submissions :-) ), showed that the last
part of the file was indeed a piece of an executable program (UPX
encoded). The piece was damaged, and harmless. Probably the reason
why our other virusscanner did not find anything.
Thanks to clamav, we found the customer, and indeed, after investigation
he was infected by Netsky.B. Seeing the history of problems they had,
probably already since april!
Not all false positives are completely false...
--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
