Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the problem. It too was dropped in daily - 22584.
Also, Joel mentioned something about disabling an engine, but I don't really know how that is accomplished and whether it's reported to us as part of a daily.cdiff. -Al- On Wed, Nov 23, 2016 at 03:04 AM, Mark Allan wrote: > > Thanks for dropping those 3, Joel, however there are still at least 24 > signatures causing problems: > > Html.Malware.Agent-1835906 > Txt.Malware.Agent-1835883 > Txt.Malware.Agent-1835884 > Txt.Malware.Agent-1835885 > Txt.Malware.Agent-1835886 > Txt.Malware.Agent-1835887 > Txt.Malware.Agent-1835888 > Txt.Malware.Agent-1835889 > Txt.Malware.Agent-1835890 > Txt.Malware.Agent-1835891 > Txt.Malware.Agent-1835892 > Txt.Malware.Agent-1835893 > Txt.Malware.Agent-1835894 > Txt.Malware.Agent-1835896 > Txt.Malware.Agent-1835898 > Txt.Malware.Agent-1835899 > Txt.Malware.Agent-1835900 > Txt.Malware.Agent-1835901 > Txt.Malware.Agent-1835902 > Txt.Malware.Agent-1835903 > Txt.Malware.Agent-1835904 > Txt.Malware.Agent-1835905 > Txt.Malware.Agent-1838194 > Txt.Malware.Agent-1838195 > > Given the vast majority of those are consecutive numbers, it looks like > someone has uploaded the entire OpenLayers library and tried to report it as > infected. > > Best regards > Mark > > >> On 22 Nov 2016, at 9:42 pm, Al Varnell <alvarn...@mac.com> wrote: >> >> I see that Daily - 22584 drops three of them: >> >> * Txt.Malware.Agent-1811885 >> >> * Txt.Malware.Agent-1835895 >> >> * Txt.Malware.Agent-1835897 >> >> -Al- >> >> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote: >>> >>> I am seeing these mostly on files that comprise the OpenLayers library in >>> phpMyAdmin 4. >>> >>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) <jes...@cisco.com> >>> wrote: >>> >>>> Mark, >>>> >>>> Thanks for the feedback, you are right, I am experiencing some high counts >>>> in the Txt.Malware.Agent family. >>>> >>>> I’ve disabled this engine for now. >>>> >>>> -- >>>> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Nov 22, 2016, at 12:02 PM, Mark Allan <markjal...@gmail.com<mailto:m >>>> arkjal...@gmail.com>> wrote: >>>> >>>> Hi all, >>>> >>>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7] >>>> containing a number of files which ClamAV incorrectly detects as various >>>> strains of Txt.Malware.Agent >>>> >>>> My experience may be slightly skewed, but it seems that the rate of FPs >>>> has increased a lot lately, and they mostly appear to be being caused by >>>> hash-based signatures. I'm wondering if this is related to Joel's recent >>>> admission that the signature generation process is almost entirely >>>> automated now. >>>> >>>> Is it possible that someone is targeting ClamAV and reporting known-clean >>>> files as if they were infected? To what end, I'm not sure, but I can't >>>> shake the feeling that something's not right... >>>> >>>> Mark >>>> >>>> _______________________________________________ >>>> clamav-users mailing list >>>> clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> >>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>> >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml >>>> >>>> _______________________________________________ >>>> clamav-users mailing list >>>> clamav-users@lists.clamav.net >>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>> >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml >>> _______________________________________________ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> >> -Al- >> -- >> Al Varnell >> Mountain View, CA >> >> >> >> >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
