[clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Reindl Harald h.reindl at thelounge.net
Wed Aug 10 05:58:20 EDT 2016



Am 10.08.2016 um 11:52 schrieb Jan-Pieter Cornet:
> On 10-8-16 08:22, ANANT S ATHAVALE wrote:
>> Hi,
>>
>> Most of the mails are marked with  Win.Exploit.CVE_2016_3316-1.  Is this a false positive?
>
> Yes.
>
> Created a completely empty .doc file using LibreOffice on linux, and the resulting file was recognized as Win.Exploit.CVE_2016_3316-1.
>
> This means that on our medium sized ISP, we got so many false positives from ClamAV in a few hours, that it would take several weeks for ClamAV to even find the same number of true positives in our e-mail stream.
>
> Guess that's the end of ClamAV as an e-mail virus scanner here...

useless polemic

show me one malware scanner with no FP disaster in the past years and 
before you throw away the child with the bath consider why you are not 
just use *scoring* if you can't accept false positives fixable within  a 
short timeframe

and in case of .doc i have seen even users complaining that other 
mailservers block .doc at all and bounce back you should send a .docx 
because they can't contain macros (thats .docm are for)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160810/1dcdad56/attachment.sig>


More information about the clamav-users mailing list