On Mon, 8 Apr 2024 11:26:15 -0400 Richard <r...@usol.com> wrote: > After updating to the latest virus signature files using > freshclam, I am suddenly getting infected file reports > that I never got before.
Almost certainly yes. This seems to happen periodically, for those same Python PIP exe files (which I really wish weren't even packaged there...) The signature it hit, Win.Virus.Expiro-10026576-0, was added yesterday in signatures 27238: https://lists.clamav.net/pipermail/clamav-virusdb/2024-April/008622.html I expect (and hope) that signature will be removed again shortly. Historic examples of false positives on those same damned files which have troubled me, for reference: signatures version 26922 on 2023-05-30, added a pattern for Win.Virus.Memery-10002766-0 which hit that distlib/t32.exe file: https://www.mail-archive.com/clamav-users@lists.clamav.net/msg52715.html ... and was soon dropped in the next version. Before that, signatures version 26438 on 2022-01-30 added a pattern for Win.Malware.Generic-9937882-0 which again hit those files e.g. distlib/w32.exe: https://lists.clamav.net/pipermail/clamav-virusdb/2022-January/007823.html > How can I tell whether this is a real virus > or malware, or if it is just a false positive? You could drop the MD5 hash of the files into e.g. VirusTotal to see if any other virus checkers report a hit for them, A cute one-liner I use for this is: md5sum /usr/lib/python*/site-packages/pip/_vendor/distlib/*.exe \ | cut -d ' ' -f1 \ | xargs -I% echo "https://www.virustotal.com/gui/search/%"; > If I submit > one of the files using clamsubmit, will it be analyzed to > determine whether it is a false positive? I'm not sure if > files submitted using clamsubmit are analyzed, or whether > it is just assumed that they are false positives. I believe it essentially acts as a handy front end for submitting them via the website e.g. https://www.clamav.net/reports/fp so the same things that apply to submissions via the site apply to submissions via clamsubmit - notably, from this documentation: https://docs.clamav.net/#submitting-new-or-otherwise-undetected-malware "Q: Who analyzes malware and false positive file uploads? A: Given the volume of submissions, the vast majority of files are handled by automation." Cheers Dave P _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
