Hi, --heuristic-scan-precedence=no is broken in clamav-0.99
eg create a test encrypted zip /tmp/abcdef.zip clamscan -z --database=/tmp/test.ndb --block-encrypted=yes /tmp/abcdef.zip /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND clamscan -z --database=/tmp/test.ndb --block-encrypted=no /tmp/abcdef.zip /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND clamscan -z --database=/tmp/test.ndb --block-encrypted=yes --heuristic-scan-precedence=no /tmp/abcdef.zip /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND With --heuristic-scan-precedence=no testsig.1.UNOFFICIAL should have been returned and not Heuristics.Encrypted.Zip . With -z --heuristic-scan-precedence=no , both testsig.1.UNOFFICIAL and Heuristics.Encrypted.Zip should have been returned. This is same problem as occurs with clamdscan and OLE2BlockMacros yes. Heuristics.OLE2.ContainsMacros gets returned and not any real sigs that also might match. I suspect --heuristic-scan-precedence=no might not work for any heuristic detection. If heuristic-scan-precedence=no worked , you could parse the returned virus name and treat files that only matched Heuristics sig eg pdf or encrypted zip or ole2 with macros, differently to files that matched a real sig. eg do logging only instead of discarding. -- David Shrimpton _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
