>Jonathan Kamens wrote: >> Greetings, >> >> Recently, ClamAV version 0.90.2 with main.cvd version 44 and daily.cvd >> version 4540 reported that an EXE on one of our servers was infected >> with Hacktool.PCGI. This EXE came from a pretty reputable source, and >> when I scanned the same file with Symantec AntiVirus, it claimed that >> the file was clean. So, what now? Is there any way I can provide >> information to the folks who maintain the ClamAV virus definitions to >> help them (a) determine whether ClamAV or SAV is correct, and (b) if the >> latter, fine-tune the ClamAV signature to prevent this false positive >> from recurring? Basically, what's the protocol for a suspected false >> positive? > >http://cgi.clamav.net/sendvirus.cgi > >Mark it as a false positive.
Thanks, I didn't realize that interface could be used for false positives as well. However, we have a problem -- the file that's showing up as a false positive is one we got from one of our clients, and we're not allowed to redistribute it. Is there any way I can extract information from the file that will be helpful in analyzing the false positive and submit that to the virus database maintainers rather than submitting the file itself? jik _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
