Leave off the “main.cvd:1204:” and just put “Email.Phishing.Bank-1204”
But I’m surprised you are finding this to be an FP as it’s apparently been around for quite awhile. The signature it’s looking for is: "Use the link below to verify all_the suspicious transaction in your account now" except that I substituted an underscore for one of the spaces to prevent this from being identified as infected. If I got an e-mail that said that I certainly would never use the link. -Al- On Wed, Mar 30, 2016 at 01:54 AM, Matthias Hank wrote: > > Hi, > > we have a problem with a lot of false positives of signature > "Email.Phishing.Bank-1204" > > We are running ClamAV 0.95.2 and i tried to create a local.ign DB > which contains > > main.cvd:1204:Email.Phishing.Bank-1204 > > but that did not help. > > Can anybody help how to whitelist this sig? > > Updating ClamAV ist not possible atm. > > Greetings, > > Matze
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
