False Positives

If you have problems with a signature, please check the signature names first, as some of the Sanesecurity download scripts may also download other Third-Party signatures and are therefore not under the control of SaneSecurity.

.UNOFFICIAL means that the signature is not an Official ClamAV signature and therefore you need to contact one of the following people when you have a problem:

Signature name	Contact
Sanesecurity	contact Sanesecurity
MBL	contact Malware Block List
-SecuriteInfo.com	contact SecuriteInfo
winnow_	contact Sanesecurity
ScamNailer	contact Julian Field
Doppelstern	contact Doppelstern Antispam
bofhland	contact bofhland

Phishing.Heuristics

If you are having problems with the following Official ClamAV signatures:

Phishing.Heuristics.Email.SpoofedDomain
Phishing.Heuristics.Email.SSL-Spoof

You can disable this feature by editing clamd.conf and find the line “PhishingScanURLs” and change it to this:

PhishingScanURLs no

If the signature name doesn’t have .UNOFFICIAL tag at the end, that please submit a false positive report to the ClamAV Team here

Report a Sanesecurity False Positive

False Positive samples (where possible) should either be emailed to:

or use a service such as pastebin (to past in the whole email) and then email the unique pastebin link you are given, to the above email address. Other services to use: link1 or link2

In order to speed up the resolution process when sending a False Positive Report, please send the signature name (eg: Sanesecurity.Spam.10154) and also, where possible, the raw text (including all headers of you blocked email).

Note: If you are trying to send a copy of a fraudulent email to your bank or other organisation (such as PayPal/Ebay) and it is getting blocked by your ISP… then please use the pastebin service to send the fraudulent email instead, as this will not be blocked by them.

Locally whitelisting a false positive

While you wait for the false positive to be fixed, you can create your own local whitelist:

Example 1: Pdf.Exploit.CVE_2016_1091-2 is causing issues

echo “Pdf.Exploit.CVE_2016_1091-2” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd

Example 2: Sanesecurity.Spam.10154.UNOFFICIAL is causing issues

Note: If you are trying to send a copy of a fraudulent email to your bank or other organisation (such as PayPal/Ebay) and it is getting blocked by your ISP… then please use the pastebin service to send the fraudulent email instead, as this will not be blocked by them.

While you wait for the false positive to be fixed, you can create your own local whitelist:

echo “Sanesecurity.Spam.10154” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd

In this section

Site kindly hosted by:

Polls

Legal

False Positives

Note: If you are trying to send a copy of a fraudulent email to your bank or other organisation (such as PayPal/Ebay) and it is getting blocked by your ISP… then please use the pastebin service to send the fraudulent email instead, as this will not be blocked by them.

While you wait for the false positive to be fixed, you can create your own local whitelist:

echo “Sanesecurity.Spam.10154” >> local_whitelist.ign2 place into your clamav database folder and then restart clamd

In this section

Site kindly hosted by:

Polls

Legal

echo “Sanesecurity.Spam.10154” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd