Return to Support

False Positives

If you have problems with a signature, please check the signature names first, as some of the Sanesecurity download scripts may also download other Third-Party signatures and are therefore not under the control of SaneSecurity.

.UNOFFICIAL means that the signature is not an Official ClamAV signature and therefore you need to contact one of the following people when you have a problem:

 

Signature name Contact
Sanesecurity contact Sanesecurity
MBL contact Malware Block List
-SecuriteInfo.com contact SecuriteInfo
winnow_ contact Sanesecurity
ScamNailer contact Julian Field
Doppelstern contact Doppelstern Antispam
bofhland contact bofhland

 

Phishing.Heuristics

If you are having problems with the following Official ClamAV signatures:

Phishing.Heuristics.Email.SpoofedDomain
Phishing.Heuristics.Email.SSL-Spoof

You can disable this feature by editing clamd.conf and find the line “PhishingScanURLs” and change it to this:

PhishingScanURLs no


If the signature name doesn’t have
.UNOFFICIAL
tag at the end, that please submit a false positive report to the ClamAV Team here


Report a Sanesecurity False Positive

False Positive samples (where possible) should either be emailed to:

fpemail

or use a service such as pastebin (to past in the whole email) and then email the unique pastebin link you are given, to the above email address. Other services to use: link1 or link2

In order to speed up the resolution process when sending a False Positive Report, please send the signature name (eg: Sanesecurity.Spam.10154) and also, where possible, the raw text (including all headers of you blocked email).

Note: If you are trying to send a copy of a fraudulent email to your bank or other organisation (such as PayPal/Ebay) and it is getting blocked by your ISP… then please use the pastebin service to send the fraudulent email instead, as this will not be blocked by them.


Locally whitelisting a false positive

While you wait for the false positive to be fixed, you can create your own local whitelist:

 

Example 1: Pdf.Exploit.CVE_2016_1091-2 is causing issues

echo “Pdf.Exploit.CVE_2016_1091-2” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd

Example 2: Sanesecurity.Spam.10154.UNOFFICIAL is causing issues

echo “Sanesecurity.Spam.10154” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd

Permanent link to this article: https://sanesecurity.co.uk/support/false-positives/