Charles Swiger wrote: > However, also please note that sometimes people have Excel or Word > docs that were infected and then cleaned, which still contain some > viral fingerprints that ClamAV recognizes. If you can quarantine some > of these files and double-check with some other viral scanners, you > might find that ClamAV is actually blocking these files for good > reason.... I think sometimes it has no good reason to block. If it's "clean", then it doesn't contain a virus... It means ClamAV is using a bad signature to classify the virus.
We've had this before too - and yes I do upload them as FPs. The problem we had was a user was infected, was cleaned using product X, but the "cleanup" left behind the bit that ClamAV used to detect the virus. That user then used that Excel spreadsheet to create all new spreadsheets they made from then on, and every time one of them hit our systems, we'd block it - even though it really contained no ACTIVE virus (if you want to put it that way). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
