Am 12.11.2013 12:39 schrieb Andreas Schulze: > > > We added a file "local.ign2" containing one line: "Worm.Bagle.H-zippwd-1" > > > clamscan called again and - nothing changed. Still marked as virus... > > > Any hints/ideas? I found a fantastic fact!
For testing I have the message as flat file in /tmp. The messages marked as virus here contain a Authentication-Results header. If I remove these AR header or simply change "dkim=pass" to "dkim=none" Or simply change chagacters to Uppercase in the messagefile it is no linger classified as Bagle virus! $ md5sum falsepositive falsepositive.ok 17bb34d840e1266b09954021a4175e51 falsepositive 997a68e9ed616c61e56d3b5154159441 falsepositive.ok $ ls -la falsepositive falsepositive.ok -rw-r--r-- 1 sca sca 13167933 12. Nov 12:50 falsepositive -rw-r--r-- 1 sca sca 13167933 12. Nov 12:52 falsepositive.ok $ clamscan falsepositive falsepositive.ok falsepositive: Worm.Bagle.H-zippwd-1 FOUND falsepositive.ok: OK ----------- SCAN SUMMARY ----------- Known viruses: 2903796 Engine version: 0.98 Scanned directories: 0 Scanned files: 2 Infected files: 1 Data scanned: 34.58 MB Data read: 25.11 MB (ratio 1.38:1) Time: 11.345 sec (0 m 11 s) and now: whats different? $ diff falsepositive falsepositive.ok 27c27 < dkim=pass (1024-bit key; unprotected) --- > dkim=pasS (1024-bit key; unprotected) May it be the signature for Worm.Bagle test also for a valid dkim signed message? Bagle was active in 2004 an dkim signed messages where not so common than today. Anyway: a working whitelisting option would still be nice :-) -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml