I added the yara script published by Homeland security to the clamav database directory. I believe I am getting a substantial number of false positives on this including messages containing PDF and JPG attachments, the latter known to be OK.
$ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.M192155P10931.mail,S=188385,W=191025:2,S" /home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.M192155P10931.mail,S=188385,W=191025:2,S: YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6284977 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.95 MB Data read: 0.18 MB (ratio 5.42:1) Time: 7.567 sec (0 m 7 s) Is anyone else using this rule seeing this? --Mark _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
