I attempted to submit the sample I have to http://www.clamav.net/reports/fp and it was similarly rejected as "empty." Scanned the file on my computer after updating definitions still shows it as infected. Uploading it to VirusTotal results in only a ClamAV detection: <https://www.virustotal.com/en/file/87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a/analysis/1455495993/>.
Regardless of whether the signature is right or wrong, the ClamAV False Positive submission system is broken and needs to be fixed. The file I submitted was pg3726-images.epub downloaded from <http://www.gutenberg.org/cache/epub/3726/pg3726-images.epub> with MD5=6a2c8a5085e7fbea72643d78962c6897 just in case it actually made it to the database. -Al- On Sun, Feb 14, 2016 at 03:14 PM, nerslbm...@yahoo.com wrote: > > I understand it can be whitelisted, but I posted to the list in hope that the > person who introduced the problem to the file daily.cd on 2/12/2016 will read > the thread and roll back the changes. > > Thanks! > > > On Sunday, February 14, 2016 11:48 AM, Steve basford > <steveb_cla...@sanesecurity.com> wrote: > > > Hi, > > Here's the entry for > Zip.Suspect.MacroDoubleExtension-zippwd > > (?i)((\.doc)|([ > _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ > > _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:* > > Which is covering a lot of combinations in one sig... personally I split > foxhole ones into smaller subsections... > > Use --debug and grep for cdbname in the output. > > You can whitelist sig name using a .ign2 database. > > Cheers, > > Steve > Web: sanesecurity.com > Blog: sanesecurity.blogspot.com > > > > On 14 February 2016 19:00:12 <nerslbm...@yahoo.com> wrote: > >> Hi,false positives started coming after update to (daily.cvd version: >> 21360)my submissions for false-positive reports on clamav.net keep >> reporting "The sample is empty." >> >> How to reproduce: >> mkdir /tmp/test_dir >> touch /tmp/test_dir/txt_csv.jar.0 >> jar cf test_dir.jar /tmp/test_dir >> # or >> zip -r test_dir.zip /tmp/test_dir >> >> # then scan the file >> clamscan test_dir.jar test_dir.zip >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
