On Wed, 9 Sep 2015 16:51:11 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 09.09.15 10:44, Dianne Skoll wrote:
> >ClamAV is totally useless.
> Do you mean generally, or in this case?
Generally, at least if you use the official signatures. And the unofficial
ones have unacceptably high FP rates.
> >There will be some false-positives because some legitimate MS Office
> >files (boooo....) auto-execute macros on document open, but IMO the
> >danger posed by macro viruses makes the tradeoff worth it.
> i believe some people will argument against this ;-)
I'm sure some will. It's a tradeoff and everyone has a different opinion.
We've implemented this in our hosted scanning service and so far
haven't had any complaints (though to be sure, we quarantine rather
than outright reject messages that hit this rule.)
These are the subjects we've seen that have hit the rule so far
today; counts are on the left:
1 <redacted - probably false-positive>
1 Fv: fattura sospesa 8587917 del 12-07-2015
1 Invio fattura convalida 2492412 del 25-03-2015
1 RE: fattura sospesa 0585247 del 18-03-2015
1 RE: fattura sospesa 2684935 del 04-03-2015
1 RE: fattura sospesa 6857874 del 22-06-2015
1 Re: fattura emessa 8939951 del 25-01-2015
1 Re: fattura sospesa 3445841 del 09-02-2015
1 <redacted - possibly false-positive>
1 Solicitud de Oferta SM No 123/2015 Proyecto 5070
229 Resume
255 RE:resume
Looks to me like one probable and one possible false positive out of
498; IMO that's a good tradeoff for quarantining.
Regards,
Dianne.
