On Tue, May 23, 2006 at 11:36:12AM -0600, Alex Georgopoulos wrote: > First I would like to say I've submitted files via the web interface with > the false positive using the method from the FAQ. I have a bunch of excel > files that won't get through because clam thinks it has this W97 macro > virus. We have had 3 commercial AV vendors analyze this file and they said > it is not a macro virus but I cannot get any response from the clam devs as > to why they think it is one. Anybody out there seeing this too? This is > causing a serious issue with our customer and if I can't get any feedback I > am going to be forced to abandon the product which is something I don't want > to do.
Maybe "tons" is slightly exaggerated? Out of approximately 10 million emails today, our logs show one hit for XF.Sic.L, and then another hit when that email was bounced because of the reject we gave. I can only see that this is for a file of about 600KByte, which is large for a virus, but not exceptional for a macro virus. If it is really bothering you, you could unpack the daily.cvd and main.cvd (using sigtool -u), search for the line containing "XF.Sic.L" and remove that, and point your virus scanner to the extracted files (which have to be in another directory than the .cvd files). Or provide a non-virus-scanned email address, or non-virus-scanned outgoing mail server (usable with specific SMTP AUTH only), or something. -- Jan-Pieter Cornet <[EMAIL PROTECTED]> !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
