Ingo, It looks like this sig was originally published on June 11th, 2015. We dropped the signature this afternoon to review why it triggered a false positives.
Thank you for making us aware of this issue. Please let us know if there are any other issue. Thanks again, Shaun Hurley ClamAV Malware Team On Thu, Jul 9, 2015 at 2:48 PM, Al Varnell <alvarn...@mac.com> wrote: > I used to be able to scan the database to determine when each signature > was added, but that list has been eliminated so I can’t verify, but when an > older file is suddenly identified as infected, my first thought is that > this must be a new signature. Just because the vulnerability has been > known since 2012 doesn’t mean that ClamAV has been able to detect it since > then. > > -Al- > > > On Jul 9, 2015, at 11:22 AM, Ingo Bente <ingo.be...@gmail.com> wrote: > > > > The file has been subject to daily scanning since Mar 2015. According to > > the mtime, the file has not been changed since. However, the positive > > finding from ClamAV occurred just yesterday. That's why it seems to me > that > > this might be a false positive. > > > > Please let me know what you think. > > > > Cheers > > Ingo > > > > On Thu, 9 Jul 2015 at 19:33 Al Varnell <alvarn...@mac.com> wrote: > > > >> I’m not sure why you would consider a 2012 CVE to be an indicator of a > >> false positive. Have you read the vulnerability description? > >> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0167> > >> > >> If that document contains an EMF image it could cause a heap-based > buffer > >> overflow in those older, unmatched versions of Microsoft Office. > >> > >> -Al- > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
