Hi folks
First time poster, please indulge me as I get to grips with how this
group works....

I have had a case recently where a customer of my mail platform
(protected with Clam) received an encrypted zip attachment.
The body of the message immediately prior to the Base64 encoded
attachment contained the word 'password' (twice, infact) and the email
was subsequently blocked as containing "Worm.Bagle.F-zippwd-7"

The email was clean. With a raw copy of the email I was able to strip
out the entire contents, short of the attachment and the two lines of
text prior.

By removing all trace of the word 'password' in those two lines, the
file ceased to be marked false-positive for the virus.

It appears that the conditions to match the above virus definition
(encoded attachment, and the presence of the word 'password' in the
preceding text) are pretty vague.  I submitted this as a false positive
several days ago but it appears to still trigger, so i've been forced to
have a bypass for Clam worked in for this customer (less than ideal).

Interested in others exposure to circumstances like this, wonder if i'm
alone in seeing this behavior (or similar) and what the best method of
moving forward is?

Thanks
Mark.
_____________________________________________________________________________

This email has been filtered by SMX. For more information visit smxemail.com
_____________________________________________________________________________

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to