[clamav-users] Whitelisting a signature
Al Varnell
alvarnell at mac.com
Wed Mar 30 09:02:22 UTC 2016
Leave off the “main.cvd:1204:” and just put “Email.Phishing.Bank-1204”
But I’m surprised you are finding this to be an FP as it’s apparently been around for quite awhile. The signature it’s looking for is:
"Use the link below to verify all_the suspicious transaction in your account now"
except that I substituted an underscore for one of the spaces to prevent this from being identified as infected. If I got an e-mail that said that I certainly would never use the link.
-Al-
On Wed, Mar 30, 2016 at 01:54 AM, Matthias Hank wrote:
>
> Hi,
>
> we have a problem with a lot of false positives of signature
> "Email.Phishing.Bank-1204"
>
> We are running ClamAV 0.95.2 and i tried to create a local.ign DB
> which contains
>
> main.cvd:1204:Email.Phishing.Bank-1204
>
> but that did not help.
>
> Can anybody help how to whitelist this sig?
>
> Updating ClamAV ist not possible atm.
>
> Greetings,
>
> Matze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2370 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160330/97279b00/attachment.bin>
More information about the clamav-users
mailing list