Open Gazoo opened 2 years ago
ClamAV blocks legitimate e-mails with sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.822.UNOFFICIAL
, too.
I will remove Topline.ibanking.ib.rbc.com in the next release.
The top line sigs were used for malware in wordpress sites, pre imunify360 scanning. This was content inserted generally at the top of the file used for detecting and cleaning it. There are honestly better methods at detecting this in wordpress, although it still would work for these types of php malware. It wouldn't though be useful in email. So in this case I would recommend not using the topline scripts in email itself.
The break down Automatic updating DBs sha256: interserver256.hdb - 100% known malware sha256 format hex/topline: interservertopline.db - inserts into files, manual cleaning HEX
Logical Shell lbd: shell.ldb - 99.9% known malware using logical signatures
Whitelist Whitelist: whitelist.fp - MD5 checksums of false positives or common files
Original Virus DBs These dbs were originally manually kept and updated. The system is more automated now and the below will rarely update and are kept for legacy purposes. Shellb: shellb.db - original db inserts into files, manual cleaning HEX Shell MD5: shell.hdb - original db 100% known malware MD5 format
I can't imagine any email would be detected under any of these db's since they were realistically used only with php malware in mind.
reopen - meant to have this opened until released
Issue still present, ClamAV 0.103.11/27296.
Issue is still present for sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.822.UNOFFICIAL With daily.cld version 27400 main.cvd version 62
Just a note that
sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.820
blocks legitimate email from RBC bank. After decoding the signature it looks like its just matching the email: ibanking@ib.rbc.com. The problem is that RBC really does send out all their email from that address.