ClamSup false positives
Question asked by SmarterUser - May 7, 2015 at 1:35 AM
Answered
This has proven to be a huge improvement (thanks, Joe!), but having problems with false positives.  Anyone else experiencing that?
 
Here's an example.  There's one message that I have been unable to send.  It goes straight into the Virus Quarantine, and the clamd.log reports this:
 
Thu May 07 00:35:00 2015 -> F:\Spool\SubSpool9\45746438402.eml: winnow.phish.ts.elena.1.UNOFFICIAL FOUND
 
Note that winnow.phish is disabled (it appears twice in the ini), but this signature is coming from winnow_malware_links.  The odd thing is that this is legit correspondence with someone named Elena, and it doesn't contain any links other than her email address.  Seems pretty harsh to stop all mail to anyone named Elena.  :-)
 
I haven't figured out a way to get this message to send, other than to turn off clam.  Is there a way to force false positives to send?  And on the flip side, is there a way to force incoming false positives to get delivered?
 
I'm thinking about trying just the www.securiteinfo.com signatures to see how their FP rate is.  Has anyone tried that?
 
 
 

1 Reply

Reply to Thread
2
An update.  After I submitted the above post, I submitted the "Elena" FP to Sane Security.  In less than 10 minutes, I received a reply that the problem sig had been removed.
 
Companies that provide this degree of responsiveness -- especially for free products -- deserve to be supported.

Reply to Thread