Re: [clamav-users] false positives for firefox add-ons?

Hi altogether, thanks so much for your answers.  :-) It´s quite a relief to get a confirmation by you that the files I was referring to were false positives indeed. Thanks a lot. @Al: > This was a false positive as discussed much earlier today on this very same list Oh, I missed that.

Re: [clamav-users] false positives for firefox add-ons?

Hi there, On Sat, 25 Jun 2022, Christian wrote: ... Archive.Test.Agent2-9953724-0 FOUND/ ... A false positive, as it turns out this is a signature which should never have been published: https://lists.clamav.net/pipermail/clamav-users/2022-June/012731.html It should go away on the next

Re: [clamav-users] false positives for firefox add-ons?

This was a false positive as discussed much earlier today on this very same list. It was corrected by a signature update over seven hours ago. Simply run freshclam and your curiosity will be history. -Al- > On Jun 25, 2022, at 5:40 AM, Christian wrote: > > Hello altogether, :-) > > >

[clamav-users] false positives for firefox add-ons?

Hello altogether, :-) perhaps there´s someone here who can help me with a curious phenomenon. Every now and then I scan the directory where all the firefox-related files reside. This is my command: clamscan -i -r

[clamav-users] False positives

3, SHA256 hash: 83691347093e658c98e542cfcb80a61642106d545435ff664d4e51eb3931fa1c https://www.virustotal.com/#/file/83691347093e658c98e542cfcb80a61642106d545435ff664d4e51eb3931fa1c/detection Its a windows SYSTEM file Can we get it removed please.

Re: [clamav-users] False Positives - Heuristics.Phishing.Email.SpoofedDomain

Thanks Joel, Testing confirmed the issue appears to be with the WDB/PDB databases, I'm assuming 101.0 was when they were introduced For now I've changed my scan settings from blackhole (in use since 99.4) to Quarantine. Hopefully as I submit samples, white listings can get added. Thanks

Re: [clamav-users] False Positives - Heuristics.Phishing.Email.SpoofedDomain

Check out http://www.clamav.net/documents/miscellaneous-faq > On Jan 8, 2019, at 2:43 PM, Ken Campney wrote: > > Emails from credit card companies I deal with have since 12/10/18 been > getting flagged by

[clamav-users] False Positives - Heuristics.Phishing.Email.SpoofedDomain

Emails from credit card companies I deal with have since 12/10/18 been getting flagged by Heuristics.Phishing.Email.SpoofedDomain. These include Best Buy/Citi Bank (accountsonline.com) and American Express. Sending Domain and IP's have been verified Upgraded to ClamAV version: 101.0 on

Re: [clamav-users] False positives submitted but still viewed as viruses

Yes, this page http://www.clamav.net/reports/fp Le 08/02/2016 21:17, Alain Zidouemba a écrit : Were the files submitted through this form? http://www.clamav.net/reports/fp Thanks, - Alain On Mon, Feb 8, 2016 at 9:33 AM, Klaas TJEBBES wrote: Thanks for your

Re: [clamav-users] False positives submitted but still viewed as viruses

Thanks for your answer. Here are the md5sums : acad82626e83064ce8792bb17f568726 21c85b53fccf0712aadad1127115f4ff 39cf4db0bba92ae1c18869198fed8e83 77273b2e4e4f4f39718e0ad9a8c39075 9fb8f134217e4a2421fbaa61f7a88838 867fd8e85ffc806162fdf6d6bda94ccd Le 08/02/2016 15:00, Steve Basford a écrit :

Re: [clamav-users] False positives submitted but still viewed as viruses

If you don't want to wait, you can also whitelist the files in your own database files. Run either of the following: sigtool --sha256 sigtool --md5 Put the output into a '.fp' file in your db directory and that should whitelist that specific file so it's not reported. --Maarten On Mon,

Re: [clamav-users] False positives submitted but still viewed as viruses

On Mon, February 8, 2016 1:27 pm, Klaas TJEBBES wrote: > Hi. > > > I've submitted several false positives but at the end of the submission > form I don't get any "submission-ID" so I cannot track my submissions. > > The files I've submitted (a week ago) are still detected as viruses. > Hi, If

Re: [clamav-users] False positives submitted but still viewed as viruses

Were the files submitted through this form? http://www.clamav.net/reports/fp Thanks, - Alain On Mon, Feb 8, 2016 at 9:33 AM, Klaas TJEBBES wrote: > Thanks for your answer. > > Here are the md5sums : > acad82626e83064ce8792bb17f568726 >

Re: [clamav-users] False positives submitted but still viewed as viruses

Even with a submission-ID (which I have not recently received either) you won’t really be able to “track” a submission. You will be notified when your sample has been processed by e-mail (if signed up for clamav-virusdb) at which time you will have to search recent releases for your name to

Re: [clamav-users] False positives phishing sites

Hi, Thank you Shaun for your reply. Al Varnell. Yes I will pass that over but at the moment I'm reviewing customers emails because the impact we are facing with the false positive is so massive that we would need to have a team of 4-5 people full time working only on false positives. It's not

Re: [clamav-users] False positives phishing sites

On Wed, Sep 24, 2014 at 12:41 AM, Thorvald Hallvardsson wrote: at the moment I'm reviewing customers emails because the impact we are facing with the false positive is so massive that we would need to have a team of 4-5 people full time working only on false positives. It's not the matter

Re: [clamav-users] False positives phishing sites

Hi, Don't know really. I also have some email newsletter samples of shops selling mobile phones - marked as suspicious. Also message from mobile network announcing iPhone 6 - also marked as suspicious. Not sure about the exact reason as I haven't review them yet. I will let you all know about

[clamav-users] False positives phishing sites

Hi guys, I need a bit of help in understanding why ClamAV finds phishing URLs in the very very legitimate emails. I have got some customers complaining that some emails from normal retail shops (newsletters) are marked as phising. Also multiple customers having issues with receiving emails from

Re: [clamav-users] False positives phishing sites

On Tue, September 23, 2014 12:44 pm, Thorvald Hallvardsson wrote: Anyone would like to point me into the right direction and help me out with the problems I'm having ? Report as an FPs here: http://cgi.clamav.net/sendvirus.cgi ClamAV team will need to add hosts to the daily.wdb database to

Re: [clamav-users] False positives phishing sites

Hi Steve, Thank you for your answer. If I would like to build my own database (I have read PDF but I don't understand really how it works) what would be the syntax for it ? H:youraccount.mbna.co.uk:mbna.co.uk ?? Regards. On 23 September 2014 13:08, Steve Basford steveb_cla...@sanesecurity.com

Re: [clamav-users] False positives phishing sites

Thorvald, ClamAV's Phishing heuristics checks the link URL versus the URL listed in the link text. Here is a simple example: a href=linktext/a If the text is formatted like a URL and it is different from the href link, then it will be flagged as a phishing attempt. I don't know offhand how

Re: [clamav-users] False positives phishing sites

Hi Shaun, Thank you for your reply. Just for a bit of clarification would actually clamav catch this bit as a phishing: a href=3Dhttp://www.bankofamerica.co.uk/amazon;img src=3Dhttp://youraccount.m=bna.co.uk/imgproxy/img/647707065/az_main_logo.png; width=3D280 height=3D= 103 border=3D0

Re: [clamav-users] False positives phishing sites

Yes, that would trigger it. Shaun On Tue, Sep 23, 2014 at 11:16 AM, Thorvald Hallvardsson thorvald.hallvards...@gmail.com wrote: Hi Shaun, Thank you for your reply. Just for a bit of clarification would actually clamav catch this bit as a phishing: a

Re: [clamav-users] False positives phishing sites

On Sep 23, 2014, at 5:29 AM, Thorvald Hallvardsson thorvald.hallvards...@gmail.com wrote: If I would like to build my own database (I have read PDF but I don't understand really how it works) what would be the syntax for it ? H:youraccount.mbna.co.uk:mbna.co.uk ?? You can obviously do

[clamav-users] False positives

I'm a software developer at Anzovin Studio. We've recently received a rather irate report from one of our users that the ClamAV is flagging one of our installers as being infected with Win.Trojan.378656. We've checked our other installers with ClamAV and a number of them are also being flagged. I

Re: [clamav-users] False positives

Tagore, Thanks for your FP report. The process for submitting suspected false positives is to go through the webpage http://www.clamav.net/lang/en/sendvirus/submit-fp/ . We monitor submission that come in through that feed and address them as soon as possible. For a high priority FP, please email

Re: [clamav-users] false positives

Hello Steve, Thank you for your answer. Cheers, Pawel -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steve Basford Sent: Wednesday, August 21, 2013 7:25 PM To: ClamAV users ML Subject: Re: [clamav-users] false

Re: [clamav-users] false positives

...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Ian Eiloart Sent: Wednesday, August 21, 2013 5:05 PM To: andre.cor...@pobox.com Cc: clamav-users@lists.clamav.net Subject: [clamav-users] false positives Hi Andre, NB: I'm copying this to the ClamAV users list

Re: [clamav-users] false positives

I've also had dozens of emails blocked as false-positives in the last hour. All are being matched as MBL_349876. It's not the first time I've had false positives with the MBL unofficial list. I tried to report the last incident, but there is no contact information on the MBL website. I've added:

Re: [clamav-users] false positives

I've been hit by this also (started around 2:50pm today UK time). All the FP's are via the same MBL_349876. I've commented out the MBL lines in the /etc/clamav-unofficial-sigs.conf file and killed all MBL sigs for now. Robert. On 21 Aug 2013, at 17:51, Andrew Beverley a...@andybev.com wrote:

Re: [clamav-users] false positives

Hi Andre, NB: I'm copying this to the ClamAV users list, as a heads-up. The ClamAV EXT list currently contains a number (eleven) of false positive entries. They all match the string :// (without the quotes), which clearly matches any email containing any URL. This is a very serious

Re: [clamav-users] false positives

On Wed, 21 Aug 2013, Robert wrote: I've been hit by this also (started around 2:50pm today UK time). All the FP's are via the same MBL_349876. I've commented out the MBL lines in the /etc/clamav-unofficial-sigs.conf file and killed all MBL sigs for now. I had 10 different sigs in mbl.ndb

Re: [clamav-users] false positives

Finally I would like to know why these subscriptions were implemented? Who can answer this question? I had a report the this sig causing an issue, sigs were removed and domain whitelisted. Problem was a big spam run from those domain, but root was incorrectly flagged Cheers, Steve

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

Steve Basford skrev den 26-11-2012 15:12: http://sanesecurity.co.uk/fps.htm thanks, this is verbosely explained there is sanesecurity.ftm resolved with daily.ftm now ?, last time i checked it looked like there was dupes, so now i dont use it anymore

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

These rules must have a common signature? Old downloads suddenly trigger positives. Hi Jari, These sigs need to be reported as FP's to: false_positive AT crdf.fr In the mean time, I've whitelisted on the mirrors, until they can take a look. One thing to double check is to submit one of

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

Jari Fredriksson skrev den 25-11-2012 17:10: These rules must have a common signature? Old downloads suddenly trigger positives. unofficial sigs, what should clamav team do about them ? only report fails on official sigs ___ Help us build a

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

Jari Fredriksson skrev den 25-11-2012 17:10: These rules must have a common signature? Old downloads suddenly trigger positives. unofficial sigs, what should clamav team do about them ? Well, I've tried to explain what to do with FP's like this... http://sanesecurity.co.uk/fps.htm

[clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

These rules must have a common signature? Old downloads suddenly trigger positives. Alkuperäinen viesti / Orig.Msg. Aihe: Anacron job 'cron.weekly' on whirlwind Päiväys:Sun, 25 Nov 2012 09:01:19 +0200 (EET) Lähettäjä: Anacron r...@jarif.iki.fi Vastaanottaja:

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

Am 25.11.2012 um 17:10 schrieb Jari Fredriksson: These rules must have a common signature? Old downloads suddenly trigger positives. It looks like you are using some 3rd party signatures. Please contact the author of this signature(s). -- Christoph

Re: [clamav-users] False Positives for Bagle when looking at encrypted zip attachments

Alain (and others), A month later and I am experiencing similar problems. Worm.Bagle.F-zippwd-6 instead of -7. The 'sigtool' output for both -6 and -7 appears to be identical minus a single ^M at the end of a line., but my take on it is, surely the presence of the word 'pass' followed by an

Re: [clamav-users] False Positives for Bagle when looking at encrypted zip attachments

Mark, Worm.Bagle.F-zippwd-6 had been in our signature database for 7 years and had been performing well. It is definitely preferable for us to receive an FP report along with the file(s) that are causing the suspected FP. Nevertheless, I have dropped Worm.Bagle.F-zippwd-6 as of now, and will

Re: [clamav-users] False Positives for Bagle when looking at encrypted zip attachments

Hi there, On Fri, 24 Aug 2012, Mark Foster wrote: First time poster, please indulge me as I get to grips with how this group works Read all the docs that you can find, especially http://www.clamav.net/doc/latest/clamdoc.pdf and http://www.clamav.net/doc/latest/signatures.pdf although

Re: [clamav-users] False Positives for Bagle when looking at encrypted zip attachments

Mark, Sorry for the longer than usual turn-around. I will look into your FP submission and get back to you in the next few hours. -Alain ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] False Positives for Bagle when looking at encrypted zip attachments

On 8/23/12 8:30 PM, Mark Foster mark.fos...@smxemail.com wrote: Hi folks First time poster, please indulge me as I get to grips with how this group works I have had a case recently where a customer of my mail platform (protected with Clam) received an encrypted zip attachment. The

[clamav-users] False Positives

Dear list, How do we mark signatures as a false positive in our sig datavase? Thx P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] False Positives

Please report your FP(s) here: http://www.clamav.net/lang/en/sendvirus/submit-fp/ - Alain ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] False Positives

I will Alain, But I want a quick way to whitelist as a shortcut, because our users are complaining. :( On Mon, Aug 13, 2012 at 3:23 PM, Alain Zidouemba azidoue...@sourcefire.com wrote: Please report your FP(s) here: http://www.clamav.net/lang/en/sendvirus/submit-fp/ - Alain

Re: [clamav-users] False Positives

I will Alain, But I want a quick way to whitelist as a shortcut, because our users are complaining. :( Put the problem signature name in a file called local.ign2 and restart clamd. eg: MBL_303159 MBL_312128 Worm.Mydoom-20009 etc. etc. Cheers, Steve Sanesecurity

Re: [clamav-users] False Positives

Thanks Steve. I also reported the FP. On Mon, Aug 13, 2012 at 3:41 PM, Steve Basford steveb_cla...@sanesecurity.com wrote: I will Alain, But I want a quick way to whitelist as a shortcut, because our users are complaining. :( Put the problem signature name in a file called local.ign2 and

[clamav-users] false positives with MBL_207346?

I started seeing a bunch of these this morning, essentially trashing around... I don't know, 80 or 90% of our mail. The signature is definitely in our database but I can't find anything about it via google aside from pages that have apparently been updated to no longer mention it. Any ideas

Re: [clamav-users] false positives with MBL_207346?

I started seeing a bunch of these this morning, essentially trashing around... I don't know, 80 or 90% of our mail. The signature is definitely in our database but I can't find anything about it via google aside from pages that have apparently been updated to no longer mention it. Any ideas

Re: [clamav-users] false positives with MBL_207346?

I wasn't able to receive my own post... freshclam didn't initially pull that signature back in (I removed it manually from mbl.db) so I thought we were in the clear. It eventually came back and everything came tumbling down again. Steve, replying to your post: grep MBL_207346 | sigtool

Re: [clamav-users] false positives with MBL_207346?

Oh, and I now realize that this is outside of freshclam's control, being a sanesecurity signature. I removed the mbl.db and disabled that cronjob until we sort this out... On 02/22/2012 12:51 PM, John Madden wrote: I wasn't able to receive my own post... freshclam didn't initially pull

Re: [clamav-users] false positives with MBL_207346?

On 2/22/2012 1:00 PM, John Madden wrote: Oh, and I now realize that this is outside of freshclam's control, being a sanesecurity signature. I removed the mbl.db and disabled that cronjob until we sort this out... On 02/22/2012 12:51 PM, John Madden wrote: I wasn't able to receive my own

Re: [clamav-users] false positives with MBL_207346?

Oh, and I now realize that this is outside of freshclam's control, being a sanesecurity signature. I removed the mbl.db and disabled that cronjob until we sort this out... Hi John, Actually, just to clarify... it's not a Sanesecurity signature and it's not distributed by Sanesecurity either,

[clamav-users] false positives

Hello, We've got reports of lots of false positives for PUA.PDF.OpenActionObject. Printers, scanners and such that are scanning documents and sending them via email are hitting this particular signature. Martin Sager University of Michigan ___ Help

Re: [Clamav-users] False Positives on PDF-Files

On 05/06/2010 05:56 PM, Andreas Krauß wrote: Hi, ClamAV 0.96 on our mail server is running very well. We ship every day many PDf files and have some false positive detections How can we solve the problem? Today ClamAV found 4 false positives: 01:~/ClamAV# clamscan * 2.pdf:

Re: [Clamav-users] False Positives on PDF-Files

Hi, ClamAV 0.96 on our mail server is running very well. We ship every day many PDf files and have some false positive detections How can we solve the problem? Have you submitted the false positive files on http://cgi.clamav.net/sendvirus.cgi ? First thank you for your quick

[Clamav-users] False Positives on PDF-Files

Hi, ClamAV 0.96 on our mail server is running very well. We ship every day many PDf files and have some false positive detections How can we solve the problem? Today ClamAV found 4 false positives: 01:~/ClamAV# clamscan * 2.pdf: Exploit.PDF-34 FOUND 3.pdf: Exploit.PDF-27 FOUND

Re: [Clamav-users] False Positives on PDF-Files

Andreas Krauß wrote: Hi, ClamAV 0.96 on our mail server is running very well. We ship every day many PDf files and have some false positive detections How can we solve the problem? Hi Andreas, Have you submitted the false positive files on http://cgi.clamav.net/sendvirus.cgi ? --aCaB

Re: [Clamav-users] false positives

2009/9/23 Frédéric SOSSON fsos...@gmail.com Hello, I would like to test my virus protection behavior by using false positives in clamav-0.95.2.tar.gz/test/.split McAfee found viruses but ClamAV did not (by using clamscan) what could be wrong ? regards, Fred

Re: [Clamav-users] false positives for

George Geller wrote: Recently, the scan has been giving me: sda1/Program Files/Microsoft Office/Office12/EXCEL.EXE: W32.Virut.Gen.D-163 FOUND sda1/Program Files/Microsoft Office/Office12/excelcnv.exe: W32.Virut.Gen.D-163 FOUND

[Clamav-users] false positives for

Recently, the scan has been giving me: sda1/Program Files/Microsoft Office/Office12/EXCEL.EXE: W32.Virut.Gen.D-163 FOUND sda1/Program Files/Microsoft Office/Office12/excelcnv.exe: W32.Virut.Gen.D-163 FOUND sda1/WINDOWS/SoftwareDistribution/Download/754e3b95d1b56e045c85bd49529d92b4/xlconv.cab:

Re: [Clamav-users] false positives?

Steve Wray wrote: Hi there, I'm not sure this is the right mailing list for this but here goes anyway. I need to find out if I am dealing with a false positive or with a real problem. I've been running clamav over some of our webservers content for the past year or so and it has never

[Clamav-users] false positives?

Hi there, I'm not sure this is the right mailing list for this but here goes anyway. I need to find out if I am dealing with a false positive or with a real problem. I've been running clamav over some of our webservers content for the past year or so and it has never found anything (apart from

Re: [Clamav-users] false positives?

Noel Jones wrote: Steve Wray wrote: Hi there, I'm not sure this is the right mailing list for this but here goes anyway. I need to find out if I am dealing with a false positive or with a real problem. I've been running clamav over some of our webservers content for the past year or so

Re: [Clamav-users] false positives?

Steve Wray wrote: Noel Jones wrote: Steve Wray wrote: Hi there, I'm not sure this is the right mailing list for this but here goes anyway. I need to find out if I am dealing with a false positive or with a real problem. I've been running clamav over some of our webservers content for the

Re: [Clamav-users] false positives?

Noel Jones wrote: Steve Wray wrote: Noel Jones wrote: Steve Wray wrote: Hi there, I'm not sure this is the right mailing list for this but here goes anyway. I need to find out if I am dealing with a false positive or with a real problem. I've been running clamav over some of our

[Clamav-users] False Positives with MSRBL

Hi, I use the following: http://download.mirror.msrbl.com/MSRBL-SPAM.ndb ..and today there were so many false positives -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php --

Re: [Clamav-users] False Positives with MSRBL

Odhiambo Washington wrote: ..and today there were so many false positives Hi, If you haven't already... contact them with the raw email that matched and the virus name that was reported and I'm sure they'll get it fixed. Cheers, Steve ___

[Clamav-users] false positives

Hi all, Does clamscan report 'Found' on a virus which other scanners do not detect? What I mean to ask is, is clam fully reliable? I scanned a windows fat32 partition yesterday and one 'found' was reported. I went on to the web to find what 'w32.cih.1003' is. Its a trojan. At this point I scan

Re: [Clamav-users] false positives

david thompson wrote: Thats why I am now thinking clamscan may not be working properly. I am using clam 0.83 on slackware 10. Any ideas Submit false positives via www.clamav.net And don't over do the punctuation :) Niek -- ___

Re: [Clamav-users] false positives

On Tue, 2005-02-22 at 15:28 +0100, Niek wrote: david thompson wrote: Thats why I am now thinking clamscan may not be working properly. I am using clam 0.83 on slackware 10. Any ideas Submit false positives via www.clamav.net And don't over do the punctuation :) Errr

Re: [Clamav-users] false positives

On Tue, Feb 22, 2005 at 01:47:17PM +, david thompson wrote: I scanned a windows fat32 partition yesterday and one 'found' was reported. I went on to the web to find what 'w32.cih.1003' is. Its a trojan. At this point I scan the file with f-prot. Nothing found. I then download avg

Re: [Clamav-users] false positives

On Tue, 22 Feb 2005 13:47:17 + david thompson [EMAIL PROTECTED] wrote: I went on to the web to find what 'w32.cih.1003' is. Its a trojan. No, it isn't. It's a file virus using midfile infection method and most scanners do not clean it properly only changing the entry point and leaving the

Re: [Clamav-users] false positives

david thompson wrote: I then download avg - the free windows virus scanner. install it and get the latest definitions. I scan in windows using avg. Nothing found. This is not the first time this has happened. I scanned a friends hard drive with windowsxp on it, and clamscan found 'lion'

Re: [Clamav-users] False Positives on .doc files?

-- This is very likely File::Scan. Yes indeed. That was the problem. MimeDefang will use File::Scan if it's there. Thanks for the help. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] False Positives on .doc files?

On Fri, 18 Feb 2005, Lesli St. Clair wrote: Yes indeed. That was the problem. MimeDefang will use File::Scan if it's there. I don't know about CanIt, but in MIMEDefang you can set your filter to only discard when the virus scanner reports back that it is a virus (ignoring when it's suspicious).

[Clamav-users] False Positives on .doc files?

All, We use ClamAV with CanIt Pro (mimedefang, milter, spamassassin) for mail scanning. Some Word documents seem to trigger this: Rejected: Virus suspicious - handler Discard Advice? I searched the archives, but don't see anything similar. I have been told that File::Scan can create false

Re: [Clamav-users] False Positives on .doc files?

On Thu, 2005-02-17 at 11:27 -0500, Lesli St. Clair wrote: All, We use ClamAV with CanIt Pro (mimedefang, milter, spamassassin) for mail scanning. Some Word documents seem to trigger this: Rejected: Virus suspicious - handler Discard Advice? ClamAV doesn't do that. It's one of those

Re: [Clamav-users] False Positives on .doc files?

Lesli St. Clair wrote: All, We use ClamAV with CanIt Pro (mimedefang, milter, spamassassin) for mail scanning. Some Word documents seem to trigger this: Rejected: Virus suspicious - handler Discard Advice? I searched the archives, but don't see anything similar. I have been told that File::Scan

[Clamav-users] false positives?

Sat Jan 1 12:18:44 2005 - Clamuko: /tmp/wml-2.0.9.tar.gz: Exploit.HTML.ObjectData FOUND the file in question is just downloaded http://www.thewml.org/distrib/wml-2.0.9.tar.gz and in the last few days i've also seen stuff like Viruses detected: Exploit.HTML.MHTRedir.1n: 8 Time(s)

Re: [Clamav-users] false positives?

Radu Anghel wrote: and in the last few days i've also seen stuff like Viruses detected: Exploit.HTML.MHTRedir.1n: 8 Time(s) Java.ClassLoader.24564: 15 Time(s) all of these in emails from securityfocus.com mailing lists This was actually just two mails, if I remember correctly.

[Clamav-users] False positives

How/Where do I report false positives? Kevin W. Gagel Network Administrator (250) 561-5848 local 448 (250) 562-2131 local 448 -- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done

Re: [Clamav-users] False positives

On Wed, 7 Apr 2004, Kevin W. Gagel wrote: How/Where do I report false positives? Same place you submit uncaught viruses: http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi Be sure to check the false positive box. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois

Re: [Clamav-users] False positives

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Kevin W. Gagel. On 07.04.2004 23:12 you said the following: | How/Where do I report false positives? | | | Kevin W. Gagel | Network Administrator | (250) 561-5848 local 448 | (250) 562-2131 local 448

Re: [Clamav-users] False positives

- Original Message Follows - From: Damian Menscher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] False positives Date: Wed, 7 Apr 2004 14:53:47 -0500 (CDT) On Wed, 7 Apr 2004, Kevin W. Gagel wrote: How/Where do I report false positives? Same place you submit

Re: [Clamav-users] False positives

On Wed, 07 Apr 2004 at 12:12:25 -0700, Kevin W. Gagel wrote: How/Where do I report false positives? Like other samples - at http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi Don't forget to select the A false positive option. Give as many details as possible. -- Tomasz Papszun SysAdm @

Re: [Clamav-users] False positives

Kevin W. Gagel wrote: How/Where do I report false positives? The usual http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi or follow the link from www.clamav.net. There's a flag for false-positive there. Regards, Fajar -- Don't use GIF. Use PNG instead http://www.gnu.org/philosophy/gif.html

Re: [Clamav-users] False positives

How/Where do I report false positives? it's a faq :) Same place you submit uncaught viruses: I tried this and got this error message: File is valid, and was successfully uploaded. You uploaded more than 500 kbytes. This looks wrong. Exiting. Send it to virus _at_ clamav.net

Re: [Clamav-users] false positives

On Thu, 23 Oct 2003 04:05:36 -0400 lists [EMAIL PROTECTED] wrote: The correct fix is to submit such falsely infected file via normal way: http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi , i have a bit of a problem - the WordMacro.Concept and W97M/Story.A false positives appear in

RE: [Clamav-users] false positives

you don't like ClamAV to detect. Best regards, Diego d'Ambra -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of lists Sent: 22. oktober 2003 09:52 To: [EMAIL PROTECTED] Subject: [Clamav-users] false positives i' ve recently started using

Re: [clamav-users] False Positives

Something must have changed again because I'm now getting reports of Exploit.IFRAME.Generic in a file that was last used in April. Again, Norton doesn't detect a virus in the file. Steve On Wed, 2003-06-11 at 21:10, [EMAIL PROTECTED] wrote: Hi, I agree that I have another case of

Re: [clamav-users] False Positives

Tomasz, Yes. That seems to work now. Many thanks, Steve On Mon, 2003-06-09 at 17:58, Tomasz Kojm wrote: I tried downloading some of the Reportedly infected files again and clanscan again reports them as being infected. Norton AV for a PC, however, does not!! That was fixed, but I

Re: [clamav-users] False Positives

I tried downloading some of the Reportedly infected files again and clanscan again reports them as being infected. Norton AV for a PC, however, does not!! Steve On Fri, 2003-06-06 at 09:59, Steven J. Reilly wrote: Hi, I'm new here so be gentle. I've been running Clamscan on all user data

[clamav-users] False Positives

Hi, I'm new here so be gentle. I've been running Clamscan on all user data on my mixed Solaris/Linux network for months now, with it only reporting infection in the clamav test files. However, today I woke up to find that 14 files are reportedly infected by Worm.BugBear.B. These are files that