Hi, I was getting tons of these false positives (just reported&submitted a
sample).
you can delete the line:
Email.FreeGame:4:*:75626a6563743a{-30}(67|47)616d65*687474703a2f2f(31|32|33|34|35|36|37|38|39)
from /var/lib/clamav/daily.inc/daily.ndb
and it will go away.
It is triggered by any file (or email, or mbox) contaning
"pagame" after "Subject: " (or /^Subject: / followed by /pagame.*/i)
then anything (or nothing), folowed by a line
http//(any number) (or http://[0-9])
(not placing the plain triggering text here, or I suppose the mail will be
blocked
on every clamav user mailbox)
You can test this by creating such a text file and scanning it with Clamav.
"Pagamento" (payment) is a VERY common subject in Portuguese, and having a
numeric
link anywhere after that in your mailbox or in the same email causes the false
positive. That signature is WAY too prone of false positives!
BR,
Joao S Veiga
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
