Hi Alain, Thank you very much for your quick response. May I ask what's the offending signature, where it located, and how was it removed? Thanks.
Christina Qian On Tue, Nov 12, 2019 at 1:22 PM Alain Zidouemba <azidoue...@sourcefire.com> wrote: > The alert was a false positive, and the offending signature has been > removed. > > Thanks, > > -Alain > > On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users < > clamav-users@lists.clamav.net> wrote: > >> That's a hash signature. My guess is that there's 315 byte file inside >> the jar that was marked. The 2.4 version of fop has a 315 byte class file >> (PDFColorSpace.class) in it with a different MD5 hash. You might want to >> unpack the fop.jar and see if any of the files there match. Chances are >> some piece of malware included something similar that got included in the >> signature creation process. >> >> [daily.hsb] >> 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73 >> >> >> On Tue, Nov 12, 2019 at 10:12 AM Andy Keller <andykel...@decisionlens.com> >> wrote: >> >>> Hi group – >>> >>> >>> >>> We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting >>> for Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t >>> been updated since March 2019 and I’m tempted to say this is a false >>> positive (our Nessus server is also completely unreachable from the >>> internet), but haven’t seen any traffic on this listserv and Google hasn’t >>> helped much. Anybody have any similar hits? >>> >>> >>> >>> -- >>> >>> >>> *Andy Keller *Director, Information Security and Compliance | CISSP, >>> CCSK, Security+ | Decision Lens >>> <http://www.decisionlens.com/>andykel...@decisionlens.com >>> >>> o: (703) 215-8282 >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> https://lists.clamav.net/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> _______________________________________________ >> >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
