Steve Wray wrote: > Noel Jones wrote: >> Steve Wray wrote: >>> Hi there, >>> I'm not sure this is the right mailing list for this but here goes anyway. >>> >>> I need to find out if I am dealing with a false positive or with a real >>> problem. >>> >>> I've been running clamav over some of our webservers content for the >>> past year or so and it has never found anything (apart from the eicar >>> test signature that I occasionaly drop in there to make sure the system >>> is working properly). >>> >>> It recently found something on two of our servers. Both servers run moodle. >>> >>> Clamav identifies it as JS.Dropper-14 >>> >>> The file concerned downloaded directly from the moodle site is also >>> identified as being infected though its a different version of the file >>> and differs slightly. >>> >>> You can find it here: >>> >>> http://cvs.moodle.org/moodle/mod/quiz/protect_js.php >>> >>> I've had our developers going over this code and they can't find >>> anything suspicious about it. Personally I'm suspicious of the huge >>> block of binary data... but I'm not really a programmer. >>> >>> Please advise. >>> >> get the opinion of many other scanners by submitting the file >> to http://virusscan.jotti.org/ or http://www.virustotal.com/ >> >> If nothing else finds it suspicious, submit the file as a >> false positive at >> http://www.clamav.org/sendvirus/ > > Ok well one other thing did find it suspicious: > > Panda 9.0.0.4 2008.03.02 Exploit/IFrame.FileDownload > > nothing else did though. > > At what point should I start to worry about this? > :-/ > >
Submit it as a false positive and let the clamav signature team evaluate it. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
