Hi Wagde, It looks like you've found a bug. The SSN detection logic is hardcoded, here: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/libclamav/dlp.c#L295
As you can see, it looks for sequences in the form "%3d-%2d-%4d" or "%3d%2d%4d" using sscanf(), and then validates that each of the area, group, and serial numbers are valid. I'm looking at this code for the first time, but have reproduced the issue you described. It makes sense. The %4d specifies the maximum amount of digits, not a specific amount of digits. The easy fix would be to make sure that Area >= 100, Group >= 10, and Serial >= 1000 -- though as per the comments it seems like sscanf() is an inefficient choice for the implementation. To fix the issue we'll have to fix the code in a patch release, maybe 0.102.1. I have made this bug report to track the issue: https://bugzilla.clamav.net/show_bug.cgi?id=12407 Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On 9/28/19, 7:19 PM, "clamav-users on behalf of Wagde Zabit via clamav-users" <clamav-users-boun...@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote: I keep getting false positives on SSN in a log file full of IP addresses. For some reason clamav detect the 172-31-19-5 as a SSN although it’s not (AAA-GG-SSSS) ./bin/clamdscan ~/ssn.txt /home/ubuntu/ssn.txt: Heuristics.Structured.SSN FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.000 sec (0 m 0 s) cat ~/ssn.txt 172-31-19-5 172-31-19-5 172-31-19-5 172-31-19-5 172-31-19-5 ./bin/clamdscan --version ClamAV 0.101.2/25579/Sat Sep 21 08:23:44 2019 Is there a way to change the exisintg SSN signature? Is there a way to write a new signature like: ^((?!000)(?!666)\d{3})([ -])?((?!00)\d{2})([ -])?((?!0000)\d{4})$ to get better results? Thanx Wagde _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
