This was a false positive as discussed much earlier today on this very same list. It was corrected by a signature update over seven hours ago. Simply run freshclam and your curiosity will be history.
-Al-
> On Jun 25, 2022, at 5:40 AM, Christian <abelschre...@freenet.de> wrote:
>
> Hello altogether, :-)
>
>
> perhaps there´s someone here who can help me with a curious phenomenon.
>
> Every now and then I scan the directory where all the firefox-related files
> reside.
> This is my command:
>
>
> clamscan -i -r
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
>
>
> Until now I always received a message that no viruses or malicious files were
> found.
> Yesterday however (for the first time) I got this (haven´t changed anything
> since the last scan):
>
>
>
> clamscan -i -r
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
>
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/ad...@darkreader.org.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/https-everywh...@eff.org.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/umat...@raymondhill.net.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/ad...@darkreader.org.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/https-everywh...@eff.org.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/umat...@raymondhill.net.xpi:
> Archive.Test.Agent2-9953724-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8619741
> Engine version: 0.103.6
> Scanned directories: 3315
> Scanned files: 10867
> Infected files: 7
> Data scanned: 632.66 MB
> Data read: 489.69 MB (ratio 1.29:1)
> Time: 320.348 sec (5 m 20 s)
> Start Date: 2022:06:24 16:36:42
> End Date: 2022:06:24 16:42:02
>
>
> Taking a closer look at the results it seems that some extensions for firefox
> were suddenly regarded as a virus of some sort.
> They all feature the .xpi extension:
>
>
> .rw-r--r-- 609k rosika rosika 27 Mai 13:31 ad...@darkreader.org.xpi
> <mailto:ad...@darkreader.org.xpi>
> .rw------- 1,8M rosika rosika 14 Jul 2021 https-everywh...@eff.org.xpi
> <mailto:https-everywh...@eff.org.xpi>
> .rw------- 1,5M rosika rosika 20 Jul 2021 umat...@raymondhill.net.xpi
> <mailto:umat...@raymondhill.net.xpi>
> .rw-r--r-- 916k rosika rosika 30 Mai 14:44
> {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
>
> Out of curiosity I submitted them to virustotal and got this:
>
> 1.) ad...@darkreader.org.xpi: <>
> 1 security vendor and no sandboxes flagged this file as malicious (but only 1
> out of 58; perhaps a false positive there as well)
>
>
> 2.) https-everywh...@eff.org.xpi <mailto:https-everywh...@eff.org.xpi>:
>
> No security vendors and no sandboxes flagged this file as malicious (0 / 58)
>
>
>
>
> 3.) umat...@raymondhill.net.xpi <mailto:umat...@raymondhill.net.xpi>:
>
> No security vendors and no sandboxes flagged this file as malicious (0 / 58)
>
>
>
>
> 4.) {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
>
> No security vendors and no sandboxes flagged this file as malicious (0 / 57)
>
>
>
>
> Any ideas why clamscan suddenly marked these files as a virus? It seems
> they´re not (according to virustotal).
>
> Thanks a lot in advance for your help.
>
> Many greetings from Rosika :-)
>
>
>
>
>
> P.S.:
>
> my system: Linux Lubuntu 20.04.4 LTS, 64 bit
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
Powered by Mailbutler
<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>
- still your inbox, but smarter.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
