Virus False Positive
CanIt uses Clam Antivirus as the primary method for detecting viruses within attachments. ClamAV works by looking for known Virus Signatures, a certain segment of code that can be used to identify the specific malicious behaviour. This method will in, rare instances, provide false-positives if a signature was wrongly or poorly identified.
Decoding a ClamAV Signature
Before taking any steps to remove or ignore a signature you should first determine whether it is, in fact, a bad rule. From the command line of a CanIt appliance or any other Linux machine with ClamAV installed you can run:
sigtool --find-sigs=Sanesecurity.Virus.Code.### | sigtool --decode
For example:
# sigtool --find-sigs=Sanesecurity.Phishing.Fake.26397 | sigtool --decode VIRUS NAME: Sanesecurity.Phishing.Fake.26397 TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: unusual activity on your paypai
Request Removal
The source that ClamAV uses to aggregate these signatures is SaneSecurity. You can report the false-positive to them at this address:
http://sanesecurity.com/support/false-positives/
Manual Removal (CanIt-Pro and Domain-Pro only)
If you'd like ClamAV to ignore specific virus signatures, this needs to be defined an all machines as follows:
Append to local 'ignore' file, where 'Sanesecurity.Virus.Code.###' is the name of the signature as defined in the "detail=" header of the false-positive:
echo 'Sanesecurity.Virus.Code.###' >> /var/lib/clamav/local.ign2
Restore ownership of the 'ignore' file to the clamav user:
chown clamav:clamav /var/lib/clamav/local.ign2
Restart ClamAV:
/etc/init.d/clamav-daemon force-reload