Brian, Its a straight text search for 6 strings. Cant send the decode because it will be caught in my outbound.
# sigtool find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool decode-sigs Doesnt seem extremely likely for a lot of false positives to me, but ymmv. ________________________________________________________________ From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Brian Cole via clamav-users Sent: Tuesday, August 27, 2019 11:01 AM To: clamav-users@lists.clamav.net Cc: Brian Cole Subject: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0 Has anyone else seen a false positive from ClamAV, as a result of the August 24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was added ? Specifically, we are seeing ClamAV think that CoinMiner virus exists in a cleartext file on Linux, even though CoinMiner is an executable virus attacking Windows. The file causing the false positive is the /var/log/sid_changes.log file, which is the text log file written by PulledPork when it updates Snort IDS signatures. I would imagine anyone running Snort, PulledPork and ClamAV on the same Linux machine would see this false positive. I submitted a false positive to ClamAV yesterday, but it may be that whatever pattern that virus signature is looking for is too simplistic. Brian _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
