If you have problems with a signature, please check the signature names first, as some of the Sanesecurity download scripts may also download other Third-Party signatures and are therefore not under the control of SaneSecurity.
.UNOFFICIAL means that the signature is not an Official ClamAV signature and therefore you need to contact one of the following people when you have a problem:
|MBL||contact Malware Block List|
|ScamNailer||contact Julian Field|
|Doppelstern||contact Doppelstern Antispam|
If you are having problems with the following Official ClamAV signatures:
You can disable this feature by editing clamd.conf and find the line “PhishingScanURLs” and change it to this:
If the signature name doesn’t have .UNOFFICIAL tag at the end, that please submit a false positive report to the ClamAV Team here
False Positive samples (where possible) should either be emailed to:
In order to speed up the resolution process when sending a False Positive Report, please send the signature name (eg: Sanesecurity.Spam.10154) and also, where possible, the raw text (including all headers of you blocked email).
Note: If you are trying to send a copy of a fraudulent email to your bank or other organisation (such as PayPal/Ebay) and it is getting blocked by your ISP… then please use the pastebin service to send the fraudulent email instead, as this will not be blocked by them.
Locally whitelisting a false positive
While you wait for the false positive to be fixed, you can create your own local whitelist:
Example 1: Pdf.Exploit.CVE_2016_1091-2 is causing issues
echo “Pdf.Exploit.CVE_2016_1091-2” >> local_whitelist.ign2
place into your clamav database folder and then restart clamd
Example 2: Sanesecurity.Spam.10154.UNOFFICIAL is causing issues