Thanks for dropping those 3, Joel, however there are still at least 24 signatures causing problems:
Html.Malware.Agent-1835906 Txt.Malware.Agent-1835883 Txt.Malware.Agent-1835884 Txt.Malware.Agent-1835885 Txt.Malware.Agent-1835886 Txt.Malware.Agent-1835887 Txt.Malware.Agent-1835888 Txt.Malware.Agent-1835889 Txt.Malware.Agent-1835890 Txt.Malware.Agent-1835891 Txt.Malware.Agent-1835892 Txt.Malware.Agent-1835893 Txt.Malware.Agent-1835894 Txt.Malware.Agent-1835896 Txt.Malware.Agent-1835898 Txt.Malware.Agent-1835899 Txt.Malware.Agent-1835900 Txt.Malware.Agent-1835901 Txt.Malware.Agent-1835902 Txt.Malware.Agent-1835903 Txt.Malware.Agent-1835904 Txt.Malware.Agent-1835905 Txt.Malware.Agent-1838194 Txt.Malware.Agent-1838195 Given the vast majority of those are consecutive numbers, it looks like someone has uploaded the entire OpenLayers library and tried to report it as infected. Best regards Mark > On 22 Nov 2016, at 9:42 pm, Al Varnell <alvarn...@mac.com> wrote: > > I see that Daily - 22584 drops three of them: > > * Txt.Malware.Agent-1811885 > > * Txt.Malware.Agent-1835895 > > * Txt.Malware.Agent-1835897 > > -Al- > > On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote: >> >> I am seeing these mostly on files that comprise the OpenLayers library in >> phpMyAdmin 4. >> >> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) <jes...@cisco.com> >> wrote: >> >>> Mark, >>> >>> Thanks for the feedback, you are right, I am experiencing some high counts >>> in the Txt.Malware.Agent family. >>> >>> I’ve disabled this engine for now. >>> >>> -- >>> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com> >>> >>> >>> >>> >>> >>> >>> On Nov 22, 2016, at 12:02 PM, Mark Allan <markjal...@gmail.com<mailto:m >>> arkjal...@gmail.com>> wrote: >>> >>> Hi all, >>> >>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7] >>> containing a number of files which ClamAV incorrectly detects as various >>> strains of Txt.Malware.Agent >>> >>> My experience may be slightly skewed, but it seems that the rate of FPs >>> has increased a lot lately, and they mostly appear to be being caused by >>> hash-based signatures. I'm wondering if this is related to Joel's recent >>> admission that the signature generation process is almost entirely >>> automated now. >>> >>> Is it possible that someone is targeting ClamAV and reporting known-clean >>> files as if they were infected? To what end, I'm not sure, but I can't >>> shake the feeling that something's not right... >>> >>> Mark >>> >>> _______________________________________________ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >>> _______________________________________________ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
