I too reported the false positive. I supplied the offending file was that correct?
I have 18 other different files that report the same exploit like so - 559 /root$ freshclam ClamAV update process started at Thu Dec 12 08:54:47 2013 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 18228, sigs: 599355, f-level: 63, builder: neo) bytecode.cld is up to date (version: 233, sigs: 44, f-level: 63, builder: dgoddard) 560 /root$ clamscan /home/alex/pm65dir/nw1706.p65 /home/alex/pm65dir/nw1706.p65: BC.Exploit.CVE_2013_3906 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 3018273 Engine version: 0.98 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 5.97 MB Data read: 3.04 MB (ratio 1.97:1) Time: 21.518 sec (0 m 21 s) 561 /root$ Presumably somewhere in these files there a combination of bytes that match the entry in bytecode.cld. My version was downloaded on November 28th. On the website it's got a date stamp of 20th November. So I must be using the latest version. -rw-r--r-- 1 clamav clamav 360960 Nov 28 23:13 bytecode.cld I can find no reference to BC.Exploit.CVE_2013_3906-3 in any of my files downloaded from clamav. Regards Alex On Wednesday 11 Dec 2013 09:56:46 Douglas Goddard wrote: > When was your last signature update? Could you run freshclam and then > rescan? That version of the bytecode signature has been dropped and should > no longer be alerting, the current version is BC.Exploit.CVE_2013_3906-3. > If that version is still alerting after an update then we will do some > deeper investigation. > > On Wed, Dec 11, 2013 at 6:12 AM, Al Varnell <alvarn...@mac.com> wrote: > > On Wed, Dec 11, 2013 at 02:19 AM, Andrew Carter wrote: > > > I have submitted a file several times (email and Excel attachment) to be > > > > corrected at http://www.clamav.net/lang/en/sendvirus/submit-fp/ however > > this is still being marked as a virus. In testing it against other > > scanners > > Clam is the only one picking it up as a virus. > > > > They will need the MD5 hash value of the file in order to easily find it > > in their database. > > > > What other scanners did you try? It was apparently reported first by > > McAfee labs > > < > > http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-t > > argeting-microsoft-office-2> > > >. > > > > Did you submit it to virustotal.com? > > > > > > -Al- > > -- > > Al Varnell > > Mountain View, CA > > > > > > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/support/ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
