Here’s the VirusTotal analysis (1/52) for Rapport-5.dmg which apparently has an MD5 = efddf96af90be02bcc9e37cbc21c34a6 <https://www.virustotal.com/en/file/c3707dd14b766fd5d19daddf19cf57e980ffaa81fec3bec3e4de47bbf7419118/analysis/>.
I asked the OP to upload it to Send a false positive, but not sure they will be able to. -Al- On May 9, 2014, at 7:53 PM, Al Varnell <alvarn...@mac.com> wrote: > I don’t have all the information on this yet, but I’ve had two ClamXav user > complain today of commercial software being identified as infected by > Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but > perhaps it was just added today. > > The first is "accordion.1.6.2(83).dmg", downloaded from > <http://yourhead.com/accordion/download/index.html> which I verified was > identified. It’s a RapidWeaver Plug-in from YourHead.com. > > I submitted it to VirusTotal with the following 1/51 results: > <https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/>. > > So I uploaded it to Send a false positive report, but got the following > response: >> Result: >> This file is not detected by ClamAV. Please update your CVD database before >> reporting false-positives. If you are using third-party databases/unofficial >> signatures, please contact the author of the signature. We can only process >> false-positives generated by ClamAV Official signatures. >> >> Please correct the above errors and retry. Thank you for helping the ClamAV >> project. > > I updated definitions and it was still detected as infected. ClamXav still > using v0.98.1. I’ve had this happen once before, but have no idea how it > could test positive on two Macs and VirusTotal, but not on your site. > > MD5 = f247e5f45b7a30ce600be34e66d93fa8 > > The second file is named "Rapport-5.dmg” which is an older version of > Trusteer Rapport for Mac. The latest version does not test positive, but > that’s not surprising to me. I’ve asked the user to upload his file to > VirusTotal and will post the results once I have them. > > This is yet another example of OS X .dmg files being falsely identified as > infected. All of these signatures follow the same pattern of detecting > multiple strings of characters (mostly the letter “a”) contained in an XML > section of the .dmg file. I believe this is provided as overhead information > concerning the file and does not contain any data at all to positively > identify the contents of the image file. Since the formats of the XML > portion of the .dmg files are all very similar, I suspect it will be > extremely difficult to uniquely fingerprint such files by using XML strings. > > > -Al- > -- > Al Varnell > Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
