A ClamXav user contacted me today that the software he developed, packaged and posted as a .dmg image file had been falsely identified as Osx.Trojan.Genieo. I believe he had already submitted it to you a few days ago, but I took the time to verify and upload it again just be be certain. The file name is CloudCompare-2.5.0.dmg with MD5=b26d6ac32713795bcdb5f36bb52607a1.
This is one of several .dmg files that have been found recently that were falsely identify an infection where the signature is based on patterns found in an XML section of the .dmg. I believe this section to be overhead information associated with the .dmg itself, unrelated to the contents of the mounted image. In examining the XML I notice that they are all very similar in both format and content, prominently filled with the letter “A”. I believe all the signatures to have been produced by the new automated system used with OSX samples a couple of months ago. It’s probably too early to conclude that the automated process is inadequate to handle .dmg files, but suggest that it be looked at. Signature writing is not something I can claim any experience with, just an observation on my part. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
