Re: Update

On Tue, 04 Nov 2003 at 10:06:48 +0000, Mark Allan wrote:
> >ClamAV database updated (2003.11.03 21:57 GMT): viruses.db2
> >
> >Submission: 817-web
> >Sender: Mark Allan
> >Virus: Melissa
> >Added: No, quarantined.
> 
> What does this mean?  Why wasn't my virus submission included?  It *is* 
> a known virus which is picked up by other checkers and *not* by ClamAV.
> 
> Mark

Mark,
we don't deny it's a known virus and that this version of Melissa is not
detected by ClamAV. 
But ClamAV isn't very good at processing MS Office files, yet.
So, having other samples waiting for being worked on, we "queue" MS
Office viruses for later work.

Let me quote a message by T. Kojm about Office files:

===========================================================================
From: Tomasz Kojm <tk@xxxxxxxxxxxxx>
To: clamav-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Clamav-users] false positives
Message-Id: <20031023181423.5ee04a81.tk@xxxxxxxxxxxxx>
Date: Thu, 23 Oct 2003 18:14:23 +0200

On Thu, 23 Oct 2003 04:05:36 -0400
lists <lists01@xxxxxxxxxxxxx> wrote:

> > The correct fix is to submit such falsely infected file via normal
> > way: < http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi >, 
> 
> i have a bit of a problem - the WordMacro.Concept and W97M/Story.A
> false positives appear in older Word97 files that contain business
> data.  if i remove the textual content of the file and resave
> (presumably preserving macros), the file no longer gives a false
> positive.
> 
> any suggestions?

Most of our signatures for Office viruses are broken - this is because
we have no support for compressed VBA streams in OLE2 files and the
signatures only match compressed data. Support for VBA will be available
soon, though (but not in the next stable release).

Best regards,
Tomasz Kojm
=========================================================================

Mark, we appreciate your submission but unfortunately we aren't able to
process all older samples immediately. The higher priority is given to
managing new, outbreaking viruses, and we are quite good at it.

Thank you
-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek@xxxxxxxxxxxx   http://www.lodz.tpsa.pl/   | ones and zeros.


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/