David, Thanks for your report. Tracking here:
https://bugzilla.clamav.net/show_bug.cgi?id=11512 Steve On Sun, Feb 28, 2016 at 6:10 AM, David Shrimpton <d.shrimp...@its.uq.edu.au> wrote: > Hi, > > --heuristic-scan-precedence=no is broken in clamav-0.99 > > eg create a test encrypted zip /tmp/abcdef.zip > > clamscan -z --database=/tmp/test.ndb --block-encrypted=yes /tmp/abcdef.zip > /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND > > clamscan -z --database=/tmp/test.ndb --block-encrypted=no /tmp/abcdef.zip > /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND > /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND > > clamscan -z --database=/tmp/test.ndb --block-encrypted=yes > --heuristic-scan-precedence=no /tmp/abcdef.zip > /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND > > > > With --heuristic-scan-precedence=no testsig.1.UNOFFICIAL should have been > returned and not Heuristics.Encrypted.Zip . > > With -z --heuristic-scan-precedence=no , both testsig.1.UNOFFICIAL > and Heuristics.Encrypted.Zip should have been returned. > > This is same problem as occurs with clamdscan and OLE2BlockMacros yes. > Heuristics.OLE2.ContainsMacros gets returned and not any real sigs that > also might match. > > I suspect --heuristic-scan-precedence=no might not work for any heuristic > detection. > > If heuristic-scan-precedence=no worked , you could parse the returned > virus name and treat files that only matched Heuristics sig eg > pdf or encrypted zip or ole2 with macros, differently to files that matched > a real sig. eg do logging only instead of discarding. > > -- > David Shrimpton > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml