On Sat, 25 Oct 2003 03:32:56 -0400
lists <[EMAIL PROTECTED]> wrote:
> i just started using clamav a few weeks ago. i was pretty thrilled
> with it until i discovered that most of its MS-Office-type virus
> signatures were broken. this leads to many false-positives
> ("detecting" a virus that isn't present).
OLE2 scanning in clamav is an Achilles heel. Microsoft only provides the
VBA standard description to commercial anti-virus vendors. In the last
week I implemented libole2 (and later libgsf) based support for decoding
VBA streams but it turned out it only works for few document types.
> the effect of this is, at a minimum, to create a lot of unnecessary
> work for our support staff - attempting to clean files that are fine,
> testing PC's for infections when they aren't infected, double-checking
How do you know your files are really clean ? We often receive files
that were not properly repaired by other antiviruses (check your
WordMacro.Concept false positives). Very often some other scanners also
detect a virus. Which one is right ?
> on the more worrisome end of the scale: we use clamav with amavis on
> our mail server, which often contains office documents. i'm concerned
> that mail containing virus-free files are getting rejected, impeding
> our day-to-day operations, and perhaps confounding my managers, and
> their managers, and so on, as documents make their way up and down the
>
> management chain.
>
> finally, as a rather lonely champion of open source in my department,
> it just looks bad.
We can't remove possibly "broken" signatures without proofs. If a
problematic document doesn't contain any private data please send it to
us.
> overwritten each time it's updated). this seems serious enough to me
> to merit a formal work-around of some kind in the interim - perhaps a
> mechanism to flag "iffy" signatures with a set of reliability ratings
> and allow config options to bypass scanning of these signatures.
I'm porting a code from OpenOffice to clamav and there are real chances
for the VBA support already in November.
Best regards,
Tomasz Kojm
--
oo ..... [EMAIL PROTECTED]
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl
pgp00000.pgp
Description: PGP signature
