Hi folks First time poster, please indulge me as I get to grips with how this group works....
I have had a case recently where a customer of my mail platform (protected with Clam) received an encrypted zip attachment. The body of the message immediately prior to the Base64 encoded attachment contained the word 'password' (twice, infact) and the email was subsequently blocked as containing "Worm.Bagle.F-zippwd-7" The email was clean. With a raw copy of the email I was able to strip out the entire contents, short of the attachment and the two lines of text prior. By removing all trace of the word 'password' in those two lines, the file ceased to be marked false-positive for the virus. It appears that the conditions to match the above virus definition (encoded attachment, and the presence of the word 'password' in the preceding text) are pretty vague. I submitted this as a false positive several days ago but it appears to still trigger, so i've been forced to have a bypass for Clam worked in for this customer (less than ideal). Interested in others exposure to circumstances like this, wonder if i'm alone in seeing this behavior (or similar) and what the best method of moving forward is? Thanks Mark. _____________________________________________________________________________ This email has been filtered by SMX. For more information visit smxemail.com _____________________________________________________________________________ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml