hello,

I have a lot of false positive alerts this week for doc attachments suspected of BC.Win.Exploit.CVE_2012_0167

thanks

Clam Av provides the scan engine and virus signatures used by ClamWin. Upload a couple of the false positive files to Virus Total and scan them there. If there is a false positive detection by Clam AV, Virus Total should notify Clam AV so they can correct the Clam signature. It might also help to upload the files to Clam Av as well at http://www.clamav.net/report/report-fp.html on the web.

Evidently the Clam AV exploit signature is a little boo broad, and it will detect "good" doc files as well.

Thanks for using ClamWin.

Regards,

Hi,

I understand. Unfortunately I can not do that since its an internal document. I will try to identify if its the template(by deleting the content of the file) then I could upload that file here.

thanks

Hello,

I managed to find out the following: if you use an embedded visio object in the document it will be indetified as false positive: BC.Win.Exploit.CVE_2012_0167
If the user removes the visio object and uses just a picture it works.

regards,
Dragos

Thanks for the information. Perhaps any embedded object will be detected as malicious by the Clam Av scan engine. At any rate, would it be possible for you to upload the object with the embedded Visio stuff to Clam Av so they can correct their signature? Their false positive reporting page is at http://www.clamav.net/report/report-fp.html on the web. It might take them a while to correct it--false positive signatures are corrected manually, so you might want to whitelist the object/file from ClamWin scans.

Regards,