I’ve had one ClamXav user complain on Friday that all the .epub and kindle downloads from http://www.gutenberg.org/ebooks/3726 were infected. When decompressed it reveals several files with ".txt.html" extensions.
We seen problems with such all encompassing signatures in the past so I suspect this one needs to be trimmed a bit. -Al- On Sun, Feb 14, 2016 at 11:47 AM, Steve basford wrote: > > Hi, > > Here's the entry for > Zip.Suspect.MacroDoubleExtension-zippwd > > (?i)((\.doc)|([ > _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ > > _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:* > > Which is covering a lot of combinations in one sig... personally I split > foxhole ones into smaller subsections... > > Use --debug and grep for cdbname in the output. > > You can whitelist sig name using a .ign2 database. > > Cheers, > > Steve > Web: sanesecurity.com > Blog: sanesecurity.blogspot.com > > > > On 14 February 2016 19:00:12 <nerslbm...@yahoo.com> wrote: > >> Hi,false positives started coming after update to (daily.cvd version: >> 21360)my submissions for false-positive reports on clamav.net keep reporting >> "The sample is empty." >> >> How to reproduce: >> mkdir /tmp/test_dir >> touch /tmp/test_dir/txt_csv.jar.0 >> jar cf test_dir.jar /tmp/test_dir >> # or >> zip -r test_dir.zip /tmp/test_dir >> >> # then scan the file >> clamscan test_dir.jar test_dir.zip >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
