On 2011-03-06 22:39, Alex wrote: > Hi, > > Some time ago I posted a message requesting help tracking down a false > positive, and trying to learn why it triggered. I have another one. > This is the information from the logs for that message: > > Mar 4 00:02:05 smtp01 amavis[16992]: (16992-212) Virus > MBL_144360.UNOFFICIAL matches pattern (?-xism:.*), sender addr ignored > [1104B13D4014] > Mar 4 00:02:05 smtp01 amavis[16992]: (16992-212) Virus > MBL_144360.UNOFFICIAL matches pattern (?-xism:.*), sender addr ignored > [1104B13D4014] > > I ran the following: > > $ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs > VIRUS NAME: MBL_144360 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > update.multivaccine.co.kr/setupa > > Is that the correct way? I looked at the email itself, and not only is > it from a trusted sender, but it doesn't contain that URL in the > message. Am I missing something?
Does it contain attachments or base64 encoded parts? Run clamscan --leave-temps --debug and see exactly what triggers it. --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
