Noel Jones wrote: > Steve Wray wrote: >> Hi there, >> I'm not sure this is the right mailing list for this but here goes anyway. >> >> I need to find out if I am dealing with a false positive or with a real >> problem. >> >> I've been running clamav over some of our webservers content for the >> past year or so and it has never found anything (apart from the eicar >> test signature that I occasionaly drop in there to make sure the system >> is working properly). >> >> It recently found something on two of our servers. Both servers run moodle. >> >> Clamav identifies it as JS.Dropper-14 >> >> The file concerned downloaded directly from the moodle site is also >> identified as being infected though its a different version of the file >> and differs slightly. >> >> You can find it here: >> >> http://cvs.moodle.org/moodle/mod/quiz/protect_js.php >> >> I've had our developers going over this code and they can't find >> anything suspicious about it. Personally I'm suspicious of the huge >> block of binary data... but I'm not really a programmer. >> >> Please advise. >> > > get the opinion of many other scanners by submitting the file > to http://virusscan.jotti.org/ or http://www.virustotal.com/ > > If nothing else finds it suspicious, submit the file as a > false positive at > http://www.clamav.org/sendvirus/
Ok well one other thing did find it suspicious: Panda 9.0.0.4 2008.03.02 Exploit/IFrame.FileDownload nothing else did though. At what point should I start to worry about this? :-/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
