Michael R. Dilworth wrote:
> PDF-9669 seems to be matching most HTML encoded messages on > older versions of ClamAV. Yes I know update... But I thought > I had a couple of more months to clean things up... I've seen lots of false positives matching on this signature. At first I thought somebody was mass-mailing a PDF exploit under lots of different guises, though it's definitely a false-positive. It looks like Exploit.PDF-9669 matches on an empty 0 byte string: d41d8cd98f00b204e9800998ecf8427e:0:Exploit.PDF-9669 For now I've commented out the line in daily.inc/daily.hdb - it's the last line in the file in the version that I have, though this is only going to help until freshclam runs. This really needs to be fixed ASAP, I hate to think how many systems around the world are hitting on this and blocking huge amounts of legitimate mail. I'm very suprised that there isn't some sort of automated check that is run against a signature release that ensures that a signature isn't matching 0 bytes. Regards Richard _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
