[clamav-users] FP in structured SSN

Wagde Zabit via clamav-users Sat, 28 Sep 2019 16:19:34 -0700

I keep getting false positives on SSN in a log file full of IP addresses.

For some reason clamav detect the 172-31-19-5 as a SSN although it’s not 
(AAA-GG-SSSS)


./bin/clamdscan ~/ssn.txt
/home/ubuntu/ssn.txt: Heuristics.Structured.SSN FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.000 sec (0 m 0 s)

cat ~/ssn.txt
172-31-19-5
172-31-19-5
172-31-19-5
172-31-19-5
172-31-19-5

./bin/clamdscan --version
ClamAV 0.101.2/25579/Sat Sep 21 08:23:44 2019


Is there a way to change the exisintg SSN signature?
Is there a way to write a new signature like: ^((?!000)(?!666)\d{3})([ 
-])?((?!00)\d{2})([ -])?((?!0000)\d{4})$ to get better results?

Thanx
Wagde

_______________________________________________

clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP in structured SSN

Reply via email to