Thank you for the submissions James. It looks like it is alerting on this:
libraries/gantry/js/belated-png.js I removed the 'top level' extension .html from this signature, and considered removing .js but didn't. I'll revise these later today to not have .js, as that is not a huge threat in terms of executables and is causing enough FPs. - Douglas On Wed, Sep 17, 2014 at 9:14 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Wed, September 17, 2014 1:53 pm, James Meason wrote: > > > Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND) > > Hi James, > > ClamAV team have created a signature which helps block double attachments, > in much the same way that the Sanesecurity foxhole sigs have been > doing for a while now. > > However, I think they'd gone slightly overboard... > > here's the sig... > > daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([ > _.-](7z|avi > > |bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t > ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ > _.-]*\.(action|air|apk|app|as|awk|bin|c > > ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh > |swf):*:*:*:*:*:* > > foxhole_filename.cdb will do a similar job, but has been made as flexable > as possible for the end_user to whitelist for extension type and only > contains double extensions that have been actually seen carrying malware. > > To whitelist... > > printf Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2 > restart clamd > > Cheers, > > Steve > Sanesecurity.com > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml