On 03/27/2018 09:37 AM, Rob McEwen wrote:
On 3/27/2018 9:48 AM, David Jones wrote:
Looks like ClamAV UNOFFICIAL sigs are detecting this:
Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL
David,
Excellent... except for one potential problem... this is in their
"foxhole_all.cdb" file which they label as "high false positive risk" -
which could scare some away!
For those who don't score very high on ClamAv and/or who are able to
score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv
results, this is probably OK. But for others who prefer to either
outright block or score high on ClamAv, that MIGHT present a problem. On
the other hand, maybe Sanesecurity is just being overly cautious (or
considering more theoretical FNs?), and such actual FPs in real world
mail flow are actually extremely rare?
Any Thoughts? Anyone know?
That's interesting because I probably wouldn't have started using
foxhole_all.cdb if it had been classified like that then. I am not
getting any reports or finding any problems with FPs.
3,110,729 total messages* since March 15th
112,477 spam blocked
2,071 total viruses found
8 Foxhole viruses found
*After MTA rejects based on RBLs and other DNS checks
--
Dave Jones
--
David Jones
