Hi Al, Thank you very much for your reply. I just realized that I was on the wrong thread though. I meant to ask the reason for the alarms below, or at least to confirm it's a false alarm, so I can just exclude the files. Do you or anybody on the list has information on this? Thanks.
Christina ---------- Forwarded message ---------- From: Christina Qian <christina.q...@ayasdi.com> To: clamav-users@lists.clamav.net Cc: Bcc: Date: Tue, 12 Nov 2019 10:57:27 -0800 Subject: ClamAV false positive Hi, We have installed ClamAV on our EC2 hosts. This weekend it started to send alerts below. Since as far as I know, these tls1.h files were already on the system for one or two years and no malware alert was ever sent for them, I wonder whether there is any change on the ClamAV side which causes it. For example, if YARA.php_malware_hexinject.UNOFFICIAL FOUND rule was newly added to the rfxn.yara file, etc? Since I did not keep the old yara file, I couldn't tell. Also, how the yara file or other files were updated and what's common practise checking whether the alert is solid or false and how to handle false alerts? Thanks. /folder_name/jupyter/miniconda2/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND /folder_name/jupyter/miniconda2/pkgs/openssl-1.0.2k-1/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND /folder_name/anaconda2/pkgs/openssl-1.0.2k-1/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND Christina Qian Christina Qian On Tue, Nov 12, 2019 at 5:14 PM Al Varnell via clamav-users < clamav-users@lists.clamav.net> wrote: > The offending signature was previously posted, along with it's location in > the daily.hdb section of the daily.cld/.cvd signature database: > > [daily.hsb] > 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73 > > You should see that it is dropped in the next daily update around eight > hours from now. > > -Al- > > On Nov 12, 2019, at 14:05, Christina Qian <christina.q...@ayasdi.com> > wrote: > > Hi Alain, > > Thank you very much for your quick response. May I ask what's the > offending signature, where it located, and how was it removed? Thanks. > > Christina Qian > > > On Tue, Nov 12, 2019 at 1:22 PM Alain Zidouemba <azidoue...@sourcefire.com> > wrote: > >> The alert was a false positive, and the offending signature has been >> removed. >> >> Thanks, >> >> -Alain >> >> On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users < >> clamav-users@lists.clamav.net> wrote: >> >>> That's a hash signature. My guess is that there's 315 byte file inside >>> the jar that was marked. The 2.4 version of fop has a 315 byte class file >>> (PDFColorSpace.class) in it with a different MD5 hash. You might want to >>> unpack the fop.jar and see if any of the files there match. Chances are >>> some piece of malware included something similar that got included in the >>> signature creation process. >>> >>> [daily.hsb] >>> 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73 >>> >>> >>> On Tue, Nov 12, 2019 at 10:12 AM Andy Keller < >>> andykel...@decisionlens.com> wrote: >>> >>>> Hi group – >>>> >>>> >>>> >>>> We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting >>>> for Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t >>>> been updated since March 2019 and I’m tempted to say this is a false >>>> positive (our Nessus server is also completely unreachable from the >>>> internet), but haven’t seen any traffic on this listserv and Google hasn’t >>>> helped much. Anybody have any similar hits? >>>> >>>> >>>> >>>> -- >>>> >>>> >>>> *Andy Keller*Director, Information Security and Compliance | CISSP, >>>> CCSK, Security+ | Decision Lens >>>> <http://www.decisionlens.com/>andykel...@decisionlens.com >>>> >>>> o: (703) 215-8282 >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> >>>> clamav-users mailing list >>>> clamav-users@lists.clamav.net >>>> https://lists.clamav.net/mailman/listinfo/clamav-users >>>> >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml >>>> >>> >>> _______________________________________________ >>> >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> https://lists.clamav.net/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> _______________________________________________ >> >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
