Ravi wrote:
Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?
Whatever calls clamdscan needs to look at the results in more detail,
and instead of just blindly treating any positive result as a virus,
check the virus "name" to see if there is some other action, or if the
result is something that should be let past.
For instance, I've added checks to several mail systems that treat a
resulting "virus name" of "Heuristics.Phishing.SpoofDomain" differently
from other results, because that test (PhishingScanURLs) tends to FP on
legitimate mail. The test is still valuable but it's not reliable as an
absolute black/white result.
In general, if you don't want certain things to cause false positives
with a content filter, either:
- don't pass those things to the filter in the first place,
- handle the results from the filter differently for your problem case,
- disable the problematic test(s) in the filter
Exactly what changes you need to make for each of these will depend on
how you're passing content to the filter, how you're accepting the scan
results back, and how configurable the filter is.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
