On 8/23/12 8:30 PM, "Mark Foster" <[email protected]> wrote:
> > Hi folks > First time poster, please indulge me as I get to grips with how this > group works.... > > I have had a case recently where a customer of my mail platform > (protected with Clam) received an encrypted zip attachment. > The body of the message immediately prior to the Base64 encoded > attachment contained the word 'password' (twice, infact) and the email > was subsequently blocked as containing "Worm.Bagle.F-zippwd-7" > > The email was clean. With a raw copy of the email I was able to strip > out the entire contents, short of the attachment and the two lines of > text prior. > > By removing all trace of the word 'password' in those two lines, the > file ceased to be marked false-positive for the virus. > > It appears that the conditions to match the above virus definition > (encoded attachment, and the presence of the word 'password' in the > preceding text) are pretty vague. You can see the string using the following command: sigtool --find Worm.Bagle.F-zippwd-7 | sigtool --decode-sig You can also go to <http://clamav-du.securesites.net/cgi-bin/clamgrok> and type in the name, then translate each string to ASCII, but I find the above easier. I see six different strings that must be present in order to identify this one. It's also in the main.cvd indicating it's been around for awhile. > I submitted this as a false positive > several days ago but it appears to still trigger, so i've been forced to > have a bypass for Clam worked in for this customer (less than ideal). > > Interested in others exposure to circumstances like this, wonder if i'm > alone in seeing this behavior (or similar) and what the best method of > moving forward is? > I suspect you've done all you can. Perhaps one of the signature writers can tell you what the final decision was/will be. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
