[clamav-users] Whitelisting a signature
Matthias Hank
mh-clamav at LF.net
Wed Mar 30 09:14:47 UTC 2016
Hi,
i tried the other format already but that gives me a:
Wed Mar 30 11:10:35 2016 -> ERROR: reload db failed: Malformed database
Wed Mar 30 11:10:35 2016 -> Terminating because of a fatal error.
See, it's a very old ClamAV version which still uses local.ign and not
local.ign2.
Matze
On Wed, Mar 30, 2016 at 02:02:22AM -0700, Al Varnell wrote:
> Leave off the ???main.cvd:1204:??? and just put ???Email.Phishing.Bank-1204???
>
> But I???m surprised you are finding this to be an FP as it???s apparently been around for quite awhile. The signature it???s looking for is:
>
> "Use the link below to verify all_the suspicious transaction in your account now"
>
> except that I substituted an underscore for one of the spaces to prevent this from being identified as infected. If I got an e-mail that said that I certainly would never use the link.
>
> -Al-
>
> On Wed, Mar 30, 2016 at 01:54 AM, Matthias Hank wrote:
> >
> > Hi,
> >
> > we have a problem with a lot of false positives of signature
> > "Email.Phishing.Bank-1204"
> >
> > We are running ClamAV 0.95.2 and i tried to create a local.ign DB
> > which contains
> >
> > main.cvd:1204:Email.Phishing.Bank-1204
> >
> > but that did not help.
> >
> > Can anybody help how to whitelist this sig?
> >
> > Updating ClamAV ist not possible atm.
> >
> > Greetings,
> >
> > Matze
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
--
Gruss / Best regards | LF.net GmbH | fon +49 711 90074-409
Matthias Hank | Ruppmannstr. 27 | fax +49 711 90074-33
support at LF.net | D-70565 Stuttgart | http://LF.net
Handelsregister Stuttgart: HRB 18189
Geschaeftsfuehrer: Norman Fuerst, Rodney Volz
More information about the clamav-users
mailing list