Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

Mon, 28 Nov 2016 09:16:19 -0800 

When I say “disable an engine” I mean, disabling the conviction engine on my 
side that convicts those files.  It’s been turned off for several days now.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Nov 23, 2016, at 6:23 AM, Al Varnell 
<alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote:

Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
problem. It too was dropped in daily - 22584.

Also, Joel mentioned something about disabling an engine, but I don't really 
know how that is accomplished and whether it's reported to us as part of a 
daily.cdiff.

-Al-

On Wed, Nov 23, 2016 at 03:04 AM, Mark Allan wrote:

Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


On 22 Nov 2016, at 9:42 pm, Al Varnell 
<alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote:

I see that Daily - 22584 drops three of them:

* Txt.Malware.Agent-1811885

* Txt.Malware.Agent-1835895

* Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:

I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.

On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
<jes...@cisco.com<mailto:jes...@cisco.com>>
wrote:

Mark,

Thanks for the feedback, you are right, I am experiencing some high counts
in the Txt.Malware.Agent family.

I’ve disabled this engine for now.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com>






On Nov 22, 2016, at 12:02 PM, Mark Allan 
<markjal...@gmail.com<mailto:markjal...@gmail.com><mailto:m
arkjal...@gmail.com<mailto:arkjal...@gmail.com>>> wrote:

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
containing a number of files which ClamAV incorrectly detects as various
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs
has increased a lot lately, and they mostly appear to be being caused by
hash-based signatures.  I'm wondering if this is related to Joel's recent
admission that the signature generation process is almost entirely
automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean
files as if they were infected?  To what end, I'm not sure, but I can't
shake the feeling that something's not right...

Mark

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net><mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to