Rule 52502 reports false positive

[Lopuiz]

Hi team,

A community user has reported he obtains false virus detected alert. You can read more about it in this mailing thread: ClamAV false Virus detected alert.

It's caused rule 52502:

https://github.com/wazuh/wazuh-ruleset/blob/a26fe6ca7d0ac9bc6f44688ff3002aea45d2a4f9/rules/0320-clam_av_rules.xml#L22-L27

It only searches the word found and it can match logs like: Nov 18 03:07:43 eva clamd[923]: Mon Nov 18 03:07:43 2019 -> ^lstat() failed on: /home/eva/lost+found

To solve it we could add blank space before word:

<rule id="52502" level="8">
    <if_sid>52500</if_sid>
    <match> FOUND</match>
    <description>ClamAV: Virus detected</description>
    <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,nist_800_53_SI.3,nist_800_53_SI.4,</group>
</rule>

Best regards, Eva