At 1:12 PM +0200 4/17/09, Wolfgang Cernohorsky wrote: >Suntower West wrote: >> Hi, >> >> I'm getting a positive for this in a Eudora mailbox (which is >> basically just an ASCII file.) However, when I scan the same file >> with Comodo it comes up as clean. > >Today clamav found the same in >"clamav-users Digest, Vol 55, Issue 15" ...
And you will especially on any mail list or email that discusses phishing and malware vectors. It is all a matter of context. This particular paypal phishing signature has no business showing up anywhere legitimate EXCEPT in forums and correspondence that discusses malware. The signature is valid. The fact that you are scanning emails that inherently discusses malware is bound to generate detections at some time. Please, if you don't want to detect phishing attempts or malware vectors either 1) disable these in your clam.conf file and vet the unofficial rule files you use, 2) unsubscribe from all sources where you might receive them, or 3) (my recommended solution) set these rules to "score" and whitelist all sources that discuss these topics. clamav-users is an obvious place where malware and its vectors are discussed as well as mailing lists from other AV, security and mail server folks, sanesecurity, ncfta.net, malware.org, etc. as well as email containing logs from firewalls, routers, etc and email from folks you discuss any of these issues with. You should also consider whitelisting your incoming abuse address to allow for abuse report reaching your abuse desk. Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
