Jason Haar wrote:
Charles Swiger wrote:
However, also please note that sometimes people have Excel or Word
docs that were infected and then cleaned, which still contain some
viral fingerprints that ClamAV recognizes. If you can quarantine some
of these files and double-check with some other viral scanners, you
might find that ClamAV is actually blocking these files for good
reason....
I think sometimes it has no good reason to block. If it's "clean", then
it doesn't contain a virus... It means ClamAV is using a bad signature
to classify the virus.
We've had this before too - and yes I do upload them as FPs. The problem
we had was a user was infected, was cleaned using product X, but the
"cleanup" left behind the bit that ClamAV used to detect the virus. That
user then used that Excel spreadsheet to create all new spreadsheets
they made from then on, and every time one of them hit our systems, we'd
block it - even though it really contained no ACTIVE virus (if you want
to put it that way).
Having content which was generated by malware appear and be widely duplicated
isn't a great situation, even if the document is not actively malicious.
It's why scanning with some other tools to see whether it is harmful is a good
idea, because in some cases, it still is-- not all virus-cleaning utils
actually succeed, especially for some of the wackier macro viruses.
--
-Chuck
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
