Thanks; I'm well aware of that. I can well understand the rationale behind the signature - however it looks like the code is established in normal usage. The user in question requested a more recent copy of the template sheet they work with from the upstream organisation, which too was blocked at the boundary (as I expected).
I'm loathe to put it into the ignore list as there's obviously good reason for the sig in the first place; what I can't see is whether any other Clam sites have seen the same issue, hence raising it here. It may be that the sig is a bit too broad, but equally it may be entirely based on observed malware - and if we've got genuine files using the same code as malware or the other way round, that leaves us in a bit of a pickle. Graeme ________________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Brent Clark via clamav-users <clamav-users@lists.clamav.net> Sent: 10 April 2019 13:38 To: ClamAV users ML Cc: Brent Clark Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0 To whitelist a specific signature from the database you just add the signature name into a local file with the .ign2 extension and store it inside /var/lib/clamav. i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2 HTH Regards Brent Clark _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml