sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.820 false positive

[Gazoo]

Just a note that sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.820 blocks legitimate email from RBC bank. After decoding the signature it looks like its just matching the email: ibanking@ib.rbc.com. The problem is that RBC really does send out all their email from that address.

VIRUS NAME: sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.820
DECODED SIGNATURE:
ibanking@ib.rbc.com

[robert-scheck]

ClamAV blocks legitimate e-mails with sigs.InterServer.net.HEX.Topline.ibanking.ib.rbc.com.822.UNOFFICIAL, too.

[JQuags]

I will remove Topline.ibanking.ib.rbc.com in the next release.

The top line sigs were used for malware in wordpress sites, pre imunify360 scanning. This was content inserted generally at the top of the file used for detecting and cleaning it. There are honestly better methods at detecting this in wordpress, although it still would work for these types of php malware. It wouldn't though be useful in email. So in this case I would recommend not using the topline scripts in email itself.

The break down Automatic updating DBs sha256: interserver256.hdb - 100% known malware sha256 format hex/topline: interservertopline.db - inserts into files, manual cleaning HEX

Logical Shell lbd: shell.ldb - 99.9% known malware using logical signatures

Whitelist Whitelist: whitelist.fp - MD5 checksums of false positives or common files

Original Virus DBs These dbs were originally manually kept and updated. The system is more automated now and the below will rarely update and are kept for legacy purposes. Shellb: shellb.db - original db inserts into files, manual cleaning HEX Shell MD5: shell.hdb - original db 100% known malware MD5 format

I can't imagine any email would be detected under any of these db's since they were realistically used only with php malware in mind.

[JQuags]

reopen - meant to have this opened until released

[GTAdoum]

Issue still present, ClamAV 0.103.11/27296.