Thanks Mark. We're taking a look at this now. - Alain
On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan <markjal...@gmail.com> wrote: > Hi, > > I've received a few reports of FPs with the signature > Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all > places, it's being detected in the scan log which could contain sensitive > information. > > Apart from the fact that it's very generic, looking only for a single > short string, I see it's also looking for the "ANY FILE" type (0). I've > seen this a number of times with FPs lately, why are java sigs written to > detect filetype 0 rather than type 12 which is specifically for Java > Classes? > > VIRUS NAME: Java.Exploit.CVE_2012_1723-8 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > msf_/_x_/_PayloadX.class > > Cheers > Mark > > PS. I padded the decoded signature with underscores to avoid this email > being detected as infected. > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
