[clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?
Kris Deugau
kdeugau at vianet.ca
Thu Feb 15 19:05:19 UTC 2018
I've had a customer reporting problems sending a supposedly all-text
(likely actually multipart text+html with no hand-added attachments)
triggering this signature.
Since it's a hash I'm baffled by what it might be misfiring on in a
legitimate more-or-less text-only message.
I don't yet have a copy of the message that actually triggered this
signature, and after finally getting a couple of empty test messages
they are of course scanning clean.
Can anyone give any more detail on what kind of file or file component
this is matching on? All I can see is that it's in daily.hsb, so beyond
the fact that it is a hash of either the whole file or a component of a
Word document containing macros I have no idea what it is, and whether
it's really a FP or not.
-kgd
More information about the clamav-users
mailing list