I've dropped .js, .html, and .lnk as top level extensions from those signatures as they were causing too many problems.
Zip.Suspect.MiscDoubleExtension-zippwd-8:*:(?i)((\.doc)|([ _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ _.-]*\.(action|air|apk|app|awk|bin|csh|deb|dmg|jar|jsx|ksh|osx|out|pkg|rpm|sh|swf)$:*:*:*:*:*:* I was also missing an end line anchor on a few of the signatures, this has been fixed too. I really appreciate your patience and communication while we fine tune these. They're covering a lot of email borne threats, and if that is not your use case, white listing is a great option. Let me know if you are still getting alerts that are problematic. Thanks, Douglas On Thu, Sep 25, 2014 at 2:10 PM, Kris Deugau <kdeu...@vianet.ca> wrote: > Tim Edwards wrote: > > The recent addition of Zip.Suspect.MiscDoubleExtension signatures has > been > > causing a lot of trouble for us, as it keeps getting flagged for > completely > > innocuous files such as foo_handle_pdf.js. > > One common thread I've been seeing is that people reporting specific > cases are reporting what I would consider a misfire for a "doubled > extension"; that filename above only has one extension (.js) in my view. > > I would suggest updating this upstream to more narrowly target actual > doubled extensions. > > I'm a little surprised I haven't see an FP locally. > > -kgd > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
