So TPTB at work here would like some insight into how text is extracted from a submission for a signature. Specifically, the Email.Trojan-xx signatures. Of the handful of viruses I submitted, two are causing false positives. Email.Trojan-48 is the text of a legal disclaimer belonging to our customer who reported it to us as spam. It is not a part of the original virus email, which was attached and contained a Trojan.Downloader.Agent-1297 virus.
Likewise, Email.Trojan-36 is a quote from a customer's .sig, not a part of the virus email. Email.Trojan-37 is the text of the viral email, along with Trojan.Autorun-287 to cover the executable part of the email. Two questions then: 1) Is there an automated process for generating text signatures or does a human look at it (if you'd rather not reveal that, I can understand, I just need to tell them that)? It would seem fairly evident that a .sig or disclaimer that occurs before the viral email that's an attachment should not be treated as virus material. 2) Can you remove the Email.Trojan-36 and Email-Trojan-48 signatures? Thanks. I'll strip out customer stuff from now on before submitting, just so there's no misunderstanding. -- Brian Bebeau Trustwave http://www.trustwave.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
