False Positives

If you have problems with a signature, please check the signature names first, as some of the Sanesecurity download scripts may also download other Third-Party signatures and are therefore not under the control of SaneSecurity.

.UNOFFICIAL means that the signature is not an Official ClamAV signature and therefore you need to contact one of the following people when you have a problem:

If the signature name doesn't have .UNOFFICIAL tag at the end, that please submit a false positive report to
the ClamAV Team here

Phishing.Heuristics

If you are having problems with the following Official ClamAV signatures:

Phishing.Heuristics.Email.SpoofedDomain
Phishing.Heuristics.Email.SSL-Spoof

You can disable this feature by editing clamd.conf and find the line "PhishingScanURLs" and change it to this:

PhishingScanURLs no

Please submit a Phishing.Heuristics.Email false positive report to the ClamAV Team here


Report a Sanesecurity False Positive

False Positive samples (where possible) should either be emailed to:



or use a service such as pastebin (to past in the whole email) and then email the unique pastebin link you are given, to the above email address. Other services to use: link1 or link2

For help with how to access all the headers/body in your email client, this link may help

In order to speed up the resolution process when sending a False Positive Report, please send the signature name
(eg: Sanesecurity.Spam.10154) and also, where possible, the raw text (including all headers of you blocked email).

Note: If you are trying to send a copy of a fraudulent email to your bank or other organisation (such as PayPal/Ebay) and it is getting blocked by your ISP... then please use the pastbin service to send the fraudulent email instead, as this will not be blocked by them.