[clamav-users] FP-Report: Email.Trojan-417
Shaun Hurley
shahurle at sourcefire.com
Tue May 13 13:29:38 UTC 2014
Julian,
I didn't see this in the false positive queue, but did see this email. I
just completed a review of the original sample. It turns out that the
original sample is being detected by another signature and that this one is
not adding anything. I've scheduled the signature to be dropped out of the
daily.cvd.
Thank you,
Shaun Hurley
On Tue, May 13, 2014 at 4:12 AM, Steve Basford <
steveb_clamav at sanesecurity.com> wrote:
>
> On Tue, May 13, 2014 8:27 am, Julian Hansmann wrote:
>
> > Regardless of its content (even if it's empty) a mail which has a file
> > with the suffix ".JPG.zip" (case sensitive) attached will be detected as
> > "Email.Trojan-417".
> >
> Hi Julian,
>
> I'm guessing the orignal offical signature was to catch something like
> this:
>
>
> http://techhelplist.com/index.php/spam-list/421-do-you-think-i-m-attractive-virus
>
> You can whitelist in your setup, while you wait for an offical response:
>
> printf "Email.Trojan-417" > ignore.ign2
> copy the ignore.ign2 file into your clamav database directory
> restart clamd
>
>
> Cheers,
>
> Steve
> Sanesecurity
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
More information about the clamav-users
mailing list