[clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

[Kris Deugau]

Ravi wrote:
> Thanks Kris for your comments. Currently we scan the incoming
> files(zips/archives) placed on the local hard drive with the
> clamdscan(which uses clamd daemon), Can you share more info on what you
> meant on handling the result differently if we are using the clamdscan?

Whatever calls clamdscan needs to look at the results in more detail, 
and instead of just blindly treating any positive result as a virus, 
check the virus "name" to see if there is some other action, or if the 
result is something that should be let past.

For instance, I've added checks to several mail systems that treat a 
resulting "virus name" of "Heuristics.Phishing.SpoofDomain" differently 
from other results, because that test (PhishingScanURLs) tends to FP on 
legitimate mail.  The test is still valuable but it's not reliable as an 
absolute black/white result.

In general, if you don't want certain things to cause false positives 
with a content filter, either:

- don't pass those things to the filter in the first place,

- handle the results from the filter differently for your problem case,

- disable the problematic test(s) in the filter

Exactly what changes you need to make for each of these will depend on 
how you're passing content to the filter, how you're accepting the scan 
results back, and how configurable the filter is.

-kgd