On Fri, 17 Oct 2008 11:14:20 +0100 Matthew Newton <[EMAIL PROTECTED]> wrote:
> Hi, > > We've got a user whose files are being detected as > "Worm.Mydoom.M.log". These ones all happen to be PDF files saved > from Word 2007. > > There is an example at the following URL: > http://www.le.ac.uk/its/mcn4/clamav/incorrect_mydoom_detect.pdf > > I submitted the file via the clamav web page a few days ago, but > have heard nothing and the "virus" is still detected. Is there > some easy way I can disable the Worm.Mydoom.M.log rule (without > the auto-update scripts clobbering it at each update of course ;-) ), > or, better, can the signature be tweaked in the main database? > > The files do not detect as malware in any other scanners (checked > with a couple of on-line "multi-scanner" sites - only ClamAV hits. Hi Matthew, as a temporary solution you can run the following command: echo "0:0:ffffffff:DOS exe(or not):CL_TYPE_BINARY_DATA:CL_TYPE_MSEXE" > /usr/local/share/clamav/local.ftm (you may need to change the db path). This will change the way how some specific files are being handled (in your case we just don't want to handle them as CL_TYPE_BINARY_DATA). Also, we now have a bug entry for this problem: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1241 Thanks, -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Oct 17 13:25:25 CEST 2008 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
