Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ).
On Wed, May 17, 2017 at 6:10 AM, Mark Foley <mfo...@novatec-inc.com> wrote: > I added the yara script published by Homeland security to the clamav > database > directory. I believe I am getting a substantial number of false positives > on > this including messages containing PDF and JPG attachments, the latter > known to > be OK. > > $ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726. > M192155P10931.mail,S=188385,W=191025:2,S" > /home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726. > M192155P10931.mail,S=188385,W=191025:2,S: > YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 6284977 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.95 MB > Data read: 0.18 MB (ratio 5.42:1) > Time: 7.567 sec (0 m 7 s) > > Is anyone else using this rule seeing this? > > --Mark > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
