On 3/27/2018 9:48 AM, David Jones wrote:
Looks like ClamAV UNOFFICIAL sigs are detecting this:
Clamd: message was infected: Sanesecurity.Foxhole.Zip_url.UNOFFICIAL
David,
Excellent... except for one potential problem... this is in their
"foxhole_all.cdb" file which they label as "high false positive risk" -
which could scare some away!
For those who don't score very high on ClamAv and/or who are able to
score DIFFERENTLY based on different types of Sanesecurity and/or ClamAv
results, this is probably OK. But for others who prefer to either
outright block or score high on ClamAv, that MIGHT present a problem. On
the other hand, maybe Sanesecurity is just being overly cautious (or
considering more theoretical FNs?), and such actual FPs in real world
mail flow are actually extremely rare?
Any Thoughts? Anyone know?
--
Rob McEwen
https://www.invaluement.com
