Re: [clamav-users] Html.Malware.Agent-7380889-0 false positive on Apache files?

Tue, 12 Nov 2019 17:14:31 -0800 

The offending signature was previously posted, along with it's location in the 
daily.hdb section of the daily.cld/.cvd signature database:

[daily.hsb] 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73

You should see that it is dropped in the next daily update around eight hours 
from now.

-Al-

> On Nov 12, 2019, at 14:05, Christina Qian <christina.q...@ayasdi.com> wrote:
> 
> Hi Alain,
> 
> Thank you very much for your quick response. May I ask what's the offending 
> signature, where it located, and how was it removed? Thanks. 
> 
> Christina Qian
> 
> 
> On Tue, Nov 12, 2019 at 1:22 PM Alain Zidouemba <azidoue...@sourcefire.com 
> <mailto:azidoue...@sourcefire.com>> wrote:
> The alert was a false positive, and the offending signature has been removed.
> 
> Thanks,
> 
> -Alain 
> 
> On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users 
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
> That's a hash signature. My guess is that there's 315 byte file inside the 
> jar that was marked. The 2.4 version of fop has a 315 byte class file 
> (PDFColorSpace.class) in it with a different MD5 hash. You might want to 
> unpack the fop.jar and see if any of the files there match. Chances are some 
> piece of malware included something similar that got included in the 
> signature creation process.
> 
> [daily.hsb] 
> 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73
> 
> 
> On Tue, Nov 12, 2019 at 10:12 AM Andy Keller <andykel...@decisionlens.com 
> <mailto:andykel...@decisionlens.com>> wrote:
> Hi group – 
> 
>  
> 
> We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting for 
> Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t been 
> updated since March 2019 and I’m tempted to say this is a false positive (our 
> Nessus server is also completely unreachable from the internet), but haven’t 
> seen any traffic on this listserv and Google hasn’t helped much. Anybody have 
> any similar hits?
> 
>  
> 
> -- 
> 
> Andy Keller
> Director, Information Security and Compliance | CISSP, CCSK, Security+ | 
> Decision Lens
>  <http://www.decisionlens.com/>andykel...@decisionlens.com 
> <mailto:andykel...@decisionlens.com>
> o: (703) 215-8282
> 
>  
> 
>  
> 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to