[clamav-users] clamscan false positives

[Thomas Stein]

Hello Clamav users.

Last week i started to check a gentoo distfiles directory with clamscan.
To my big surprise clamscan found a lot of infected files. Taking a
closer look leads to the assumption all of them are false positives
because most of them are debugging tools.

ClamAV update process started at Sun Mar 13 22:00:01 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
builder: neo)
daily.cld is up to date (version: 21464, sigs: 1878899, f-level: 63,
builder: neo)
bytecode.cld is up to date (version: 274, sigs: 49, f-level: 63,
builder: anvilleg)
/var/www/gentoomirror/distfiles/sbd-1.37.tar.gz: Win.Trojan.Agent-558335
FOUND
/var/www/gentoomirror/distfiles/libzip-1.0.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND
/var/www/gentoomirror/distfiles/sqlninja-0.2.6-r1.tgz:
W32.Hacktool.KiTrap-1 FOUND
/var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.93.tar.gz:
ClamAV-Test-Signature FOUND
/var/www/gentoomirror/distfiles/olsrd-0.9.0.2.tar.bz2:
Java.Exploit.CVE_2013_2472-1 FOUND
/var/www/gentoomirror/distfiles/clamav-0.91.2.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.19.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/clamav-0.92.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.21.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/afl-1.80b.tgz: Win.Exploit.CVE_2015_0076
FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.22.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/olsrd-0.6.4.tar.bz2:
Java.Exploit.CVE_2013_2472-1 FOUND
/var/www/gentoomirror/distfiles/libwbxml-0.11.2.tar.bz2:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/framework-2.7.tar.gz:
Exploit.Alpha_Mixed FOUND
/var/www/gentoomirror/distfiles/libzip-1.1.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND
/var/www/gentoomirror/distfiles/wbxml2-0.9.2.tar.gz:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.91.tar.gz:
ClamAV-Test-Signature FOUND
/var/www/gentoomirror/distfiles/anomy-sanitizer-1.76.tar.gz:
Exploit.WMF.Gen-1 FOUND
/var/www/gentoomirror/distfiles/LinkChecker-9.3.tar.gz: ClamAV-Test-File
FOUND
/var/www/gentoomirror/distfiles/lg-112.tar.gz: HTML.Phishing.Pay-239 FOUND
/var/www/gentoomirror/distfiles/afl-2.07b.tgz: Win.Exploit.CVE_2015_0076
FOUND
/var/www/gentoomirror/distfiles/wbxml2-0.9.0-src.tar.gz:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/MailScanner-install-4.84.5-2.tar.gz:
Eicar-Test-Signature-1 FOUND
/var/www/gentoomirror/distfiles/lg-108.tar.gz: HTML.Phishing.Bank-1 FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.21.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/lg-130.tar.gz: HTML.Phishing.Bank-791 FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.22.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/nepenthes-0.2.2.tar.bz2:
Trojan.Downloader.Bat FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.20.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/lg-issue86.tar.gz: Exploit.IFrame.Gen FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.15.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/clamav-0.92.1.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/lg-141.tar.gz: HTML.Phishing.Bank-473 FOUND
/var/www/gentoomirror/distfiles/libzip-1.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND

Is this a known behaviour?

thanks and cheers
t.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml