ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
false positive
dragos30


Joined: 10 Jul 2015
Posts: 3
Reply with quote
hello,

I have a lot of false positive alerts this week for doc attachments suspected of BC.Win.Exploit.CVE_2012_0167

thanks
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4191
Location: USA
Reply with quote
Clam Av provides the scan engine and virus signatures used by ClamWin. Upload a couple of the false positive files to Virus Total and scan them there. If there is a false positive detection by Clam AV, Virus Total should notify Clam AV so they can correct the Clam signature. It might also help to upload the files to Clam Av as well at http://www.clamav.net/report/report-fp.html on the web.

Evidently the Clam AV exploit signature is a little boo broad, and it will detect "good" doc files as well.

Thanks for using ClamWin.

Regards,
View user's profileSend private message
dragos30


Joined: 10 Jul 2015
Posts: 3
Reply with quote
Hi,

I understand. Unfortunately I can not do that since its an internal document. I will try to identify if its the template(by deleting the content of the file) then I could upload that file here.

thanks
View user's profileSend private message
dragos30


Joined: 10 Jul 2015
Posts: 3
Reply with quote
Hello,

I managed to find out the following: if you use an embedded visio object in the document it will be indetified as false positive: BC.Win.Exploit.CVE_2012_0167
If the user removes the visio object and uses just a picture it works.

regards,
Dragos
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4191
Location: USA
Reply with quote
Thanks for the information. Perhaps any embedded object will be detected as malicious by the Clam Av scan engine. At any rate, would it be possible for you to upload the object with the embedded Visio stuff to Clam Av so they can correct their signature? Their false positive reporting page is at http://www.clamav.net/report/report-fp.html on the web. It might take them a while to correct it--false positive signatures are corrected manually, so you might want to whitelist the object/file from ClamWin scans.

Regards,
View user's profileSend private message
false positive
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic