Thanks for sending this in. We are addressing your reported FP. - Alain
On Sat, May 10, 2014 at 12:24 AM, Al Varnell <alvarn...@mac.com> wrote: > Here’s the VirusTotal analysis (1/52) for Rapport-5.dmg which apparently > has an MD5 = efddf96af90be02bcc9e37cbc21c34a6 > < > https://www.virustotal.com/en/file/c3707dd14b766fd5d19daddf19cf57e980ffaa81fec3bec3e4de47bbf7419118/analysis/ > >. > > I asked the OP to upload it to Send a false positive, but not sure they > will be able to. > > -Al- > > On May 9, 2014, at 7:53 PM, Al Varnell <alvarn...@mac.com> wrote: > > > I don’t have all the information on this yet, but I’ve had two ClamXav > user complain today of commercial software being identified as infected by > Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but > perhaps it was just added today. > > > > The first is "accordion.1.6.2(83).dmg", downloaded from < > http://yourhead.com/accordion/download/index.html> which I verified was > identified. It’s a RapidWeaver Plug-in from YourHead.com. > > > > I submitted it to VirusTotal with the following 1/51 results: > > < > https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/ > >. > > > > So I uploaded it to Send a false positive report, but got the following > response: > >> Result: > >> This file is not detected by ClamAV. Please update your CVD database > before reporting false-positives. If you are using third-party > databases/unofficial signatures, please contact the author of the > signature. We can only process false-positives generated by ClamAV Official > signatures. > >> > >> Please correct the above errors and retry. Thank you for helping the > ClamAV project. > > > > I updated definitions and it was still detected as infected. ClamXav > still using v0.98.1. I’ve had this happen once before, but have no idea > how it could test positive on two Macs and VirusTotal, but not on your site. > > > > MD5 = f247e5f45b7a30ce600be34e66d93fa8 > > > > The second file is named "Rapport-5.dmg” which is an older version of > Trusteer Rapport for Mac. The latest version does not test positive, but > that’s not surprising to me. I’ve asked the user to upload his file to > VirusTotal and will post the results once I have them. > > > > This is yet another example of OS X .dmg files being falsely identified > as infected. All of these signatures follow the same pattern of detecting > multiple strings of characters (mostly the letter “a”) contained in an XML > section of the .dmg file. I believe this is provided as overhead > information concerning the file and does not contain any data at all to > positively identify the contents of the image file. Since the formats of > the XML portion of the .dmg files are all very similar, I suspect it will > be extremely difficult to uniquely fingerprint such files by using XML > strings. > > > > > > -Al- > > -- > > Al Varnell > > Mountain View, CA > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
