[clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?
h.reindl at thelounge.net
Wed Aug 10 05:58:20 EDT 2016
Am 10.08.2016 um 11:52 schrieb Jan-Pieter Cornet:
> On 10-8-16 08:22, ANANT S ATHAVALE wrote:
>> Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a false positive?
> Created a completely empty .doc file using LibreOffice on linux, and the resulting file was recognized as Win.Exploit.CVE_2016_3316-1.
> This means that on our medium sized ISP, we got so many false positives from ClamAV in a few hours, that it would take several weeks for ClamAV to even find the same number of true positives in our e-mail stream.
> Guess that's the end of ClamAV as an e-mail virus scanner here...
show me one malware scanner with no FP disaster in the past years and
before you throw away the child with the bath consider why you are not
just use *scoring* if you can't accept false positives fixable within a
and in case of .doc i have seen even users complaining that other
mailservers block .doc at all and bounce back you should send a .docx
because they can't contain macros (thats .docm are for)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the clamav-users