I have a long running recurring issue that I'd appreciate any help. We have an automated ingest routine that runs any-old-binary through ClamAV.
The sources of files is all over, and I've observed files that come in via a web harvesting tool result in a particular malware warning. The file type we are ingesting here is WARC (Web Archive), basically a serialising file container that packs files discovered via the heritrix based web crawler with associated HTTP messages. For some files ClamAV fires a [Win.Trojan.URLspoof-2 FOUND] warning. This occurs on many varied websites. I see it probably 30 times a years. I can extract the file from the system, and run the file against my local instance Clamwin and pyClamd (same engine I think?) and get no hits. This has been happening for a couple of years, and I've never yet tracked down the source of the hit in our system. I have a couple of questions. (1) What's the signature trigger for Win.Trojan.URLspoof-2? I'd like to manually hunt down the source via the signature. (2) What's happening that two systems running in different environments fail to make the same calls on the same file? As far as I can tell the definitions dicts are in sync, and as this has been happening for a couple of years, that's quite a large window to work in if there is any slight sync drift between instances. My limited reading of this flag is that I expect the Win.Trojan.URLspoof-2 source to be URL on webpage, perhaps in a spammed comments section. Thanks, J _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
