Hi,
Here's the entry for
Zip.Suspect.MacroDoubleExtension-zippwd
(?i)((\.doc)|([
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
_.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
Which is covering a lot of combinations in one sig... personally I split
foxhole ones into smaller subsections...
Use --debug and grep for cdbname in the output.
You can whitelist sig name using a .ign2 database.
Cheers,
Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
On 14 February 2016 19:00:12 <nerslbm...@yahoo.com> wrote:
Hi,false positives started coming after update to (daily.cvd version:
21360)my submissions for false-positive reports on clamav.net keep
reporting "The sample is empty."
How to reproduce:
mkdir /tmp/test_dir
touch /tmp/test_dir/txt_csv.jar.0
jar cf test_dir.jar /tmp/test_dir
# or
zip -r test_dir.zip /tmp/test_dir
# then scan the file
clamscan test_dir.jar test_dir.zip
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
