Noel Jones wrote: > Steve Wray wrote: >> Noel Jones wrote: >>> Steve Wray wrote: >>>> Hi there, >>>> I'm not sure this is the right mailing list for this but here goes anyway. >>>> >>>> I need to find out if I am dealing with a false positive or with a real >>>> problem. >>>> >>>> I've been running clamav over some of our webservers content for the >>>> past year or so and it has never found anything (apart from the eicar >>>> test signature that I occasionaly drop in there to make sure the system >>>> is working properly). >>>> >>>> It recently found something on two of our servers. Both servers run moodle. >>>> >>>> Clamav identifies it as JS.Dropper-14 >>>> >>>> The file concerned downloaded directly from the moodle site is also >>>> identified as being infected though its a different version of the file >>>> and differs slightly. >>>> >>>> You can find it here: >>>> >>>> http://cvs.moodle.org/moodle/mod/quiz/protect_js.php >>>> >>>> I've had our developers going over this code and they can't find >>>> anything suspicious about it. Personally I'm suspicious of the huge >>>> block of binary data... but I'm not really a programmer. >>>> >>>> Please advise. >>>> >>> get the opinion of many other scanners by submitting the file >>> to http://virusscan.jotti.org/ or http://www.virustotal.com/ >>> >>> If nothing else finds it suspicious, submit the file as a >>> false positive at >>> http://www.clamav.org/sendvirus/ >> Ok well one other thing did find it suspicious: >> >> Panda 9.0.0.4 2008.03.02 Exploit/IFrame.FileDownload >> >> nothing else did though. >> >> At what point should I start to worry about this? >> :-/ >> >> > > Submit it as a false positive and let the clamav signature > team evaluate it.
Well I've submitted it as a false positive... but I don't really know that it is false... we shall see! Thanks for the advice and help _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
