But I'm already running 21972 and the exploit FP is still present! --- cut here --- sigtool -i /var/lib/clamav/daily.cld File: /var/lib/clamav/daily.cld Build time: 26 Jul 2016 02:57 -0400 Version: 21972 Signatures: 454200 Functionality level: 63 Builder: neo Verification OK. --- cut here ---
Vahid -----Original Message----- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Al Varnell Sent: martedì 26 luglio 2016 10:22 To: ClamAV users ML Subject: Re: [clamav-users] CVE_2013_3860-1 There seems to be some problem with the system that drops signatures over the last three days. daily - 21954 thru 21971 appeared to be identical attempts to ignore 33 signatures and 21972 was the first to also include any new signatures. The ClamAV Virus Database Search site confirms what you found: <http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Xml.Exploit.CVE_2013_3860-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display> -Al- > I checked few minutes ago but it is still present also with the new > definitions updated! > > --- cut here --- > # freshclam > ClamAV update process started at Tue Jul 26 09:42:49 2016 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.99 Recommended version: 0.99.2 DON'T PANIC! > Read http://www.clamav.net/support/faq main.cvd is up to date > (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) > > Downloading daily-21972.cdiff [100%] > daily.cld updated (version: 21972, sigs: 454200, f-level: 63, builder: > neo) > > bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, > builder: neo) Database updated (4673043 signatures) from > db.it.clamav.net (IP: 90.147.160.69) .... > > # clamscan /usr/share/doc/libxml2-python-2.7.6/reader2.py > /usr/share/doc/libxml2-python-2.7.6/reader2.py: > Xml.Exploit.CVE_2013_3860-1 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 4667645 > Engine version: 0.99 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.01 MB > Data read: 0.00 MB (ratio 2.00:1) > Time: 14.303 sec (0 m 14 s) > [root@prdfeec01 clamav]# > --- cut here --- > > Vahid > > -----Original Message----- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On > Behalf Of Alain Zidouemba > Sent: lunedì 25 luglio 2016 17:13 > To: ClamAV users ML > Subject: Re: [clamav-users] CVE_2013_3860-1 > > Xml.Exploit.CVE_2013_3860-1 has been dropped. > > Thanks, > > - Alain > > On Sun, Jul 24, 2016 at 11:51 AM, Al Varnell <alvarn...@mac.com> wrote: > >> There was a previous Xml.Exploit.CVE_2013_3860-1 signature added by daily: >> 20352 on Apr 20, 2015 which was found to be producing FP’s and was >> removed by daily: 20358. >> >> The current Xml.Exploit.CVE_2013_3860-1 was re-introduced by daily - >> 21939 on Jul 20, 2016 and I know of one ClamXav user reporting what >> he believes to be an FP, but waiting on details. Not sure whether >> the two signatures are the same or not. >> >> -Al- >> >> On Jul 24, 2016, at 7:14 AM, c chupela <cnctem...@yahoo.com> wrote: >> >>> My Clamav installation, engine version .99, signature daily.cld >>> updated >> (version: 21959, sigs: 454048, f-level: 63, builder: neo)bytecode.cld >> is up to date (version: 283, sigs: 53, f-level: 63, builder: neo) >>> >>> flagging /usr/share/doc/libxml2-python-2.7.6/reader2.py: >> Xml.Exploit.CVE_2013_3860-1 >>> >>> I see some discussion online that alludes to this being a false >> positive, is this the case? >>> Thanks > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
