Re: [clamav-users] FP: Doc.Downloader.Emotet-7196349-0

The offending signature will be dropped in the next daily.cvd. Until then, I'd suggest adding it to your local ignore database (.ign2). See https://www.clamav.net/documents/whitelist-databases for more information. Thanks, demonduck On Wed, Feb 5, 2020 at 9:13 AM Maarten Broekman via clamav-user

[clamav-users] FP: Doc.Downloader.Emotet-7196349-0

This signature is hitting false positives. It seems to be a relatively old signature, but the subsignatures seem to be rather generic so it's difficult to know why this is supposed to be malicious. VIRUS NAME: Doc.Downloader.Emotet-7196349-0 TDB: Engine:51-255,Target:2 LOGICAL EXPRESSION: 0&1&2&3&

Re: [clamav-users] FP in structured SSN

Sorry, still drinking my morning coffee. The "easy" fix I suggested is probably terrible. I imagine it's totally fine to have 0-prefixed numbers ( eg AA-GG-0123 ). We'll definitely have to get away from sscanf() for the fix. Micah On 9/30/19, 11:49 AM, "clamav-users on behalf of Micah Sn

Re: [clamav-users] FP in structured SSN

Hi Wagde, It looks like you've found a bug. The SSN detection logic is hardcoded, here: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/libclamav/dlp.c#L295 As you can see, it looks for sequences in the form "%3d-%2d-%4d" or "%3d%2d%4d" using sscanf(), and then validates that each o

[clamav-users] FP in structured SSN

I keep getting false positives on SSN in a log file full of IP addresses. For some reason clamav detect the 172-31-19-5 as a SSN although it’s not (AAA-GG-) ./bin/clamdscan ~/ssn.txt /home/ubuntu/ssn.txt: Heuristics.Structured.SSN FOUND --- SCAN SUMMARY --- Infected files: 1

Re: [clamav-users] FP with Osx.Trojan.EmPyre-6852410-0

Osx.Trojan.EmPyre-6852410-0 has been dropped. On Wed, Feb 13, 2019 at 9:04 PM Al Varnell wrote: > Not only that, it's the installer package for an update to the macOS > Malware Removal Tool and only being detected by ClamAV here: > < > https://www.virustotal.com/#/file/c81d0180cbfa858d6f3faf4455

Re: [clamav-users] FP with Osx.Trojan.EmPyre-6852410-0

Not only that, it's the installer package for an update to the macOS Malware Removal Tool and only being detected by ClamAV here: . Sent from my iPad -Al- > On Feb 13, 2019, at 14:40, M

[clamav-users] FP with Osx.Trojan.EmPyre-6852410-0

Hey folks, Signature "Osx.Trojan.EmPyre-6852410-0 " is generating an FP against a file signed and distributed by Apple. File hash is c81d0180cbfa858d6f3faf445514cbb53675d4f469beaa5638eb95a3a8d5d0f1 Mark _

Re: [clamav-users] FP Email.Phishing.VOF1-6313981-0

Looks like the signature was dropped in daily - 25025 about an hour ago. -Al- On Wed, Oct 10, 2018 at 05:46 AM, Pertti Karppinen wrote: > The FP reporting form at https://www.clamav.net/reports/fp > seems not > to be working in my browser, but I found a false

[clamav-users] FP Email.Phishing.VOF1-6313981-0

The FP reporting form at https://www.clamav.net/reports/fp seems not to be working in my browser, but I found a false positive that is easy to reproduce. In a linux system zip file produced by these following commands triggers Email.Phishing.VOF1-6313981-0: dd if=/dev/urandom of=fubar.txt bs=1k co

[clamav-users] FP on ProduKey 32-bit

Win.Trojan.Agent-6584188-0 is a hash matching the executable from the 32-bit build of ProduKey. One of our staff doing an assets audit triggered it by emailing the .zip to another staff member. I've confirmed that the .zip and the files in it match a fresh download from the developer's site,

Re: [clamav-users] FP with Heuristics.Phishing.Email.SpoofedDomain

Paul wrote: Hi I have 2 emails which have tripped Heuristics.Phishing.Email.SpoofedDomain (4 times in each email using clamscan -x option) Is the output from clamscan -x --debug shown below indicate the offending url pair triggering Heuristics.Phishing.Email.SpoofedDomain? LibClamAV debug

[clamav-users] FP with Heuristics.Phishing.Email.SpoofedDomain

Hi I have 2 emails which have tripped Heuristics.Phishing.Email.SpoofedDomain (4 times in each email using clamscan -x option) Is the output from clamscan -x --debug shown below indicate the offending url pair triggering Heuristics.Phishing.Email.SpoofedDomain? LibClamAV debug: Phishing: l

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Am 23.08.2018 um 20:08 schrieb Marcus Schopen: > Hi, > > Am Dienstag, den 14.11.2017, 11:20 +0100 schrieb Hajo Locke: >> Hello, >> >> based on my working whitelist regex i would say the 2nd part should >> not >> look only for amazon\.com >> >> >> If i understood it the correct way it should be

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Hi, Am Dienstag, den 14.11.2017, 11:20 +0100 schrieb Hajo Locke: > Hello, > > based on my working whitelist regex i would say the 2nd part should > not > look only for amazon\.com > > > If i understood it the correct way it should be something like: > > X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

We have enough information to state that Img.Malware.Agent-6499558-0 is a false positive. The signature has been dropped, and this should be reflected shortly in a new CVD. Thanks, - Alain On Mon, May 7, 2018 at 9:38 AM, Benny Pedersen wrote: > Joel Esler (jesler) skrev den 2018-05-07 03:27: >

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

Joel Esler (jesler) skrev den 2018-05-07 03:27: Whoops, that’s an old link https://www.clamav.net/reports/fp unclear what to do in this link, upload google home apk file ? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clama

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

It's no secret that many Android Google apps are junk or flat out malware and the GameStore is either unable or unwilling to put sufficient assets in place to properly police it. I would agree that in this specific case, there is evidence of it being an FP (signature added today and ClamAV the

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

Whoops, that’s an old link https://www.clamav.net/reports/fp Sent from my iPhone On May 6, 2018, at 21:24, Joel Esler (jesler) mailto:jes...@cisco.com>> wrote: Dear Benny, You should submit a false positive report. The false positive submission form can be found here: http://www.clamav.net/l

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

Dear Benny, You should submit a false positive report. The false positive submission form can be found here: http://www.clamav.net/lang/en/sendvirus/submit-fp/ Sent from my iPhone > On May 6, 2018, at 20:55, Benny Pedersen wrote: > > https://www.virustotal.com/file/074fe51b41596a05f5c04ba14c

[clamav-users] fp Img.Malware.Agent-6499558-0

https://www.virustotal.com/file/074fe51b41596a05f5c04ba14c578786fe2edb553659fe9c8bc1f3210ab0/analysis/1525623232/ it hits on android google apps ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/list

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Hello, based on my working whitelist regex i would say the 2nd part should not look only for amazon\.com If i understood it the correct way it should be something like: X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(com|de)([/?].*)? Using this regex shows a clean mail.

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote: > Hello, > > > Am 14.11.2017 um 10:44 schrieb Al Varnell: >> I'm not very good at regex, but I'm surprised that this current X record >> doesn't already take care of this: >> >> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Hello, Am 14.11.2017 um 10:44 schrieb Al Varnell: I'm not very good at regex, but I'm surprised that this current X record doesn't already take care of this: X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)? me too. in which file is this regex located? -Al- O

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

I'm not very good at regex, but I'm surprised that this current X record doesn't already take care of this: X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)? -Al- On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote: > Hello List, > > i think i found an fp in incomi

[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Hello List, i think i found an fp in incoming mail.  I cant submit mail as FP on website, because it contains private data. I can provide debug output which leads to match: LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com->http://www.amazon.de LibClamAV d

Re: [clamav-users] FP on OWASP Dependency Check as Java.Malware.Agent-6297845-0:73

Should be fixed in the next few DB updates. -Alain On Oct 9, 2017, at 2:48 PM, Shaw Terwilliger < sterwilli...@patternhealthtech.com> wrote: Java.Malware.Agent-6297845-0:73 matches a file that's part of the OWASP Dependency Check tool, dependency-check-core-1.4.5.jar. bbeddbad91868290103ed3990

Re: [clamav-users] FP on OWASP Dependency Check as Java.Malware.Agent-6297845-0:73

If you have not done so already, you need to upload "dependency-check-core-1.4.5.jar" to > -Al- On Mon, Oct 09, 2017 at 11:47 AM, Shaw Terwilliger wrote: > Java.Malware.Agent-6297845-0:73 matches a file that's part of the > OWA

[clamav-users] FP on OWASP Dependency Check as Java.Malware.Agent-6297845-0:73

Java.Malware.Agent-6297845-0:73 matches a file that's part of the OWASP Dependency Check tool, dependency-check-core-1.4.5.jar. bbeddbad91868290103ed3990e8e0276:515130:Java.Malware.Agent-6297845-0:73 The official repository versions of the files can be found at: https://repo.maven.apache.org

Re: [clamav-users] FP Ppt.Exploit.CVE_2017_0199-6336815-1

This signature was fixed this morning. Sent from my iPhone On Oct 5, 2017, at 5:03 PM, Al Varnell mailto:alvarn...@mac.com>> wrote: Please don't include signatures that apply to all file types in your email to the list as the message gets marked as infected. I'm sure some of the intermediate

Re: [clamav-users] FP Ppt.Exploit.CVE_2017_0199-6336815-1

Please don't include signatures that apply to all file types in your email to the list as the message gets marked as infected. I'm sure some of the intermediate servers will reject the message, as well. -Al- On Thu, Oct 05, 2017 at 01:59 PM, Vincent Fox wrote: > Hi, > > Getting hits today on t

[clamav-users] FP Ppt.Exploit.CVE_2017_0199-6336815-1

Hi, Getting hits today on this entry in daily.cld. [root@smtp1 clamav]# sigtool --find-sigs Ppt.Exploit.CVE_2017_0199-6336815-1|sigtool --decode-sigs VIRUS NAME: Ppt.Exploit.CVE_2017_0199-6336815-1 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: schemas.openxmlformats.org/officedocument{WILDC

Re: [clamav-users] FP: ScamNailer.Phish.en_notification_AT_made-in-china.com

On Thu, March 23, 2017 2:05 pm, Reindl Harald wrote: > [ScamNailer.Phish.en_notification_AT_made-in-china.com.UNOFFICIAL(ad638b8 > abc0d0af59ded4aa2835061e3:293969)] Thanks for the report, I've removed the sig. -- Cheers, Steve Twitter: @sanesecurity __

[clamav-users] FP: ScamNailer.Phish.en_notification_AT_made-in-china.com

hopefully someone from "scamnailer" reads this - please remove that rule - these are 100% false positives - there are subdomains below and well if you have business customers you will end one of them linked in a mailsignature [ScamNailer.Phish.en_notification_AT_made-in-china.com.UNOFFICIAL(ad

Re: [clamav-users] FP: ScamNailer.Phish.en_notification_AT_made-in-china.com

Am 23.03.2017 um 15:05 schrieb Reindl Harald: hopefully someone from "scamnailer" reads this - please remove that rule - these are 100% false positives - there are subdomains below and well if you have business customers you will end one of them linked in a mailsignature [ScamNailer.Phish.en_n

Re: [clamav-users] FP with Java.Exploit.CVE_2012_1723-8

On Wed, Mar 08, 2017 at 01:11 AM, Sergio Fernandez wrote: > > Unsubscribe You need to do that yourself near the bottom of -Al- smime.p7s Description: S/MIME cryptographic signature ___ c

Re: [clamav-users] FP with Java.Exploit.CVE_2012_1723-8

Unsubscribe > On 24 Jan 2017, at 14:42, Alain Zidouemba wrote: > > Thanks Mark. We're taking a look at this now. > > - Alain > > On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan wrote: > >> Hi, >> >> I've received a few reports of FPs with the signature >> Java.Exploit.CVE_2012_1723-8. I can

Re: [clamav-users] FP with Java.Exploit.CVE_2012_1723-8

Thanks Mark. We're taking a look at this now. - Alain On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan wrote: > Hi, > > I've received a few reports of FPs with the signature > Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all > places, it's being detected in the scan log which co

[clamav-users] FP with Java.Exploit.CVE_2012_1723-8

Hi, I've received a few reports of FPs with the signature Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all places, it's being detected in the scan log which could contain sensitive information. Apart from the fact that it's very generic, looking only for a single short str

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks for the feedback Jeff. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 6:16 PM, Jeff Dyke mailto:jeff.d...@gmail.com>> wrote: Just a user or not Al, thanks for the quick update!! Also thank you to the folks that looked into this. I jus

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Just a user or not Al, thanks for the quick update!! Also thank you to the folks that looked into this. I just rescanned everything i posted after running freshclam and it checks out. Thanks for the efforts! On Wed, Nov 30, 2016 at 5:44 PM, Al Varnell wrote: > And the signature appears to have

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

And the signature appears to have been dropped in daily - 22632. -Al- On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote: > > Let me add a couple of things here. > > - This isn't my site, I'm just a fellow user trying to help get you an answer. > > - Normally, it isn't necessary to provide the

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Let me add a couple of things here. - This isn't my site, I'm just a fellow user trying to help get you an answer. - Normally, it isn't necessary to provide the hash for an FP submission unless you find a pressing need to discuss it on this list. As Joel said, it helps the team locate what we a

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

The team is working on this, as we speak. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 10:23 AM, Jeff Dyke mailto:jeff.d...@gmail.com>> wrote: Thanks Joel and Al, hopefully my hashes, files and virustotal urls are helpful. Jeff On Wed, No

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks Joel and Al, hopefully my hashes, files and virustotal urls are helpful. Jeff On Wed, Nov 30, 2016 at 10:21 AM, Joel Esler (jesler) wrote: > Gene, > > Al was simply asking, as he knows we may ask, and it helps us identify the > file faster. Otherwise we have to search through and look f

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Gene, Al was simply asking, as he knows we may ask, and it helps us identify the file faster. Otherwise we have to search through and look for the sender email, which, sometimes does not match up. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 06:26:44 Ralf Hildebrandt wrote: > * Ralf Hildebrandt : > > * Al Varnell : > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > > > >> Has anybody submitted a PDF yet? > > > > > > > > Of course. > > > > > > Hash? > > > > 8d62c398679

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote: > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? > > -Al- Your site does not ask for a hash, nor does it specify how to obtain it. It asked fo

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:29:42 Al Varnell wrote: > Has anybody submitted a PDF yet? Normally, nothing can happen until > they have at least one example. Once somebody has a sample they are > allowed to submit, return here with a hash value of the submitted file > so they can expedite proce

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I did, multiple. I submitted them again, plus new ones i have found since i first submitted sha256 - short file name - virus total url 52457b84faac951b961273cba7fe5f462e9edef14aee394f49981770eb75337e DCBPOS.pdf https://www.virustotal.com/en/file/52457b84faac951b961273cba7fe5f462e9edef14aee394f49

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2.{0,20}\x2fLength\x20(1[7-9]|[2-9]\d|1\d{2}))/ [daily.hdb] 71dfd9f2a567c2172e530a8c1a97ece3:36378:Pdf.Malware.Agent-1765857 DH - Original Message - From: "Ralf Hildebrandt" To: clamav-users@lists.clamav.net Sent: Wednesday, November 30, 2016 6:26:44 AM Subject: Re: [clamav-user

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > > 8d62c398679ab6c7b85749eacf7a9a80 generated by md5sum -- Ralf Hildebrandt

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, November 30, 2016 10:50 am, Al Varnell wrote: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > >> >> * Al Varnell : >> >>> Has anybody submitted a PDF yet? >>> >> >> Of course. >> > > Hash? Here's one example I saw in a forum... Source: http://www.ubuntu-es.org/node/19132

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : >> Has anybody submitted a PDF yet? > > Of course. Hash? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Has anybody submitted a PDF yet? Normally, nothing can happen until they have at least one example. Once somebody has a sample they are allowed to submit, return here with a hash value of the submitted file so they can expedite processing. -Al- On Wed, Nov 30, 2016 at 02:26 AM, maxal wrote: >

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

hi, On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote: > On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > > > > > Is there any way to get updates on a false positives(i submitted > > this > > about a week or so ago), if it is or is not, i still find these. In > > my > > case they seem

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > Is there any way to get updates on a false positives(i submitted this > about a week or so ago), if it is or is not, i still find these. In my > case they seem to be ok coming from the printer, but then a > non-technical person opens and save

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Is there any way to get updates on a false positives(i submitted this about a week or so ago), if it is or is not, i still find these. In my case they seem to be ok coming from the printer, but then a non-technical person opens and saves the file with a different name (rather than just rename it) w

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I also submitted an FP a few days ago. I'm not as much of a fan of whitelisting what could be a fairly serious exploit that i'd be allowing people to download if it were valid. Hopefully it will be fixed up soon. The documents i found it in are public, so if there is way to expedite the process,

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt: * Hajo Locke : Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are property of costume

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Hajo Locke : > Hello, > > unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 > Customer was testing at virustotal and only clamav is finding a virus. > Unfortunately i can not do a FP-Report. All PDFs are property of costumers > and not public. I already did a FP report. I

[clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are property of costumers and not public. I hope there are some additional FP-Reports from other

Re: [clamav-users] fp detection is false

On Tuesday 22 November 2016 03:44:44 Al Varnell wrote: > Gene, > > Although your posting that here might reinforce the report we got > earlier today, the files must be submitted to > http://www.clamav.net/reports/fp before anything can happen. > > If you think this is a serious issue then post the

Re: [clamav-users] fp detection is false

Gene, Although your posting that here might reinforce the report we got earlier today, the files must be submitted to http://www.clamav.net/reports/fp before anything can happen. If you think this is a serious issue then post the hash values of the submitted files back here so they can be loca

[clamav-users] fp detection is false

Greetings all; This is another copy of this same .pdf: /home/gene/Downloads/Download/MC6809-MC6809E 8-Bit Microprocessor Programming Manual (Motorola Inc.) 1981.pdf: Pdf.Exploit.CVE_2016_1091-2 FOUND So it barked on both copies. But it also hasn't been modified since I acquired it. gene@coyot

Re: [clamav-users] FP

The FPs handled by Swf.Exploit.CVE_2016_7865-1 have been resolved and this should be reflected in a CVD update later today. -Alain > On Nov 12, 2016, at 11:20 AM, Al Varnell wrote: > > Me? I'm a user like you and have no ability to solve your issues. > > There is really no need to post every FP

Re: [clamav-users] FP

Me? I'm a user like you and have no ability to solve your issues. There is really no need to post every FP submission here. If you want to be notified when your issue has been acted upon you need to subscribe to the clamav-virusdb list, if you haven't done that already. -Al- On Sat, Nov 12, 20

Re: [clamav-users] FP

Hi, Al Thank you, we found that the previous detection error= false positive has been solved. In addition to the above, the following signature also causes another detection error= false positive. Swf.Exploit.CVE_2016_7865-1 The file was uploaded to FP site. com.ibm.tivoli.tpm.video.doc_7.2.

Re: [clamav-users] FP

I see that the definition was dropped in daily - 22512. -Al- On Tue, Nov 08, 2016 at 10:52 PM, Tsutomu Oyamada wrote: > > Hi, all. > > We are in a problem of detection error (false positive) against a file. > We are receiving complaint for this issue from one of our customers every day. > > We

[clamav-users] FP

Hi, all. We are in a problem of detection error (false positive) against a file. We are receiving complaint for this issue from one of our customers every day. We put the sample file on http://www.clamav.net/reports/fp 2weeks and more days ago at some times. However, we have not gotten any new c

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

Thank you David. Sent from my iPhone On Sep 27, 2016, at 10:25 PM, David Shrimpton wrote: >> These signatures were generated out of attachments to know bad spam files. >> We'll have a look. >> > > I generated the null byte files from sizes 1 to 1 and ran clamav against > them > and

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

> These signatures were generated out of attachments to know bad spam files. > We'll have a look. > I generated the null byte files from sizes 1 to 1 and ran clamav against them and came up with 785 signatures that matched the null byte files and are therefore broken. I'd speculate that

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

Thank you Sent from my Apple Watch On Sep 27, 2016, at 9:07 PM, David Shrimpton wrote: > On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: > >> These signatures were generated out of attachments to know bad spam files. >> We'll have a look. >> > > clamscan -z on pdf shows: > > Win.Trojan.A

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: > These signatures were generated out of attachments to know bad spam files. > We'll have a look. > clamscan -z on pdf shows: Win.Trojan.Agent-1696579 Win.Trojan.Agent-1696632 Win.Trojan.Agent-1696690 Win.Trojan.Agent-1696882 Win.Trojan.Agent-16

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

These signatures were generated out of attachments to know bad spam files. We'll have a look. Sent from my iPhone > On Sep 27, 2016, at 8:54 PM, David Shrimpton > wrote: > >> On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: >> >> All - >> >> This signature was my fault. It has been drop

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: > All - > > This signature was my fault. It has been dropped. Should drop with the next > publish and run of freshclam. > Win.Trojan.Agent-1696554 is now dropped. But, the pdf is now detected as Win.Trojan.Agent-1696579. Win.Trojan.Agent-169655

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

All - This signature was my fault. It has been dropped. Should drop with the next publish and run of freshclam. > On Sep 27, 2016, at 5:46 AM, Al Varnell wrote: > > On Sep 27, 2016, at 2:26 AM, David Shrimpton > wrote: >> Is the original malware sample for which the signature was intended

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

On Sep 27, 2016, at 2:26 AM, David Shrimpton wrote: > Is the original malware sample for which the signature was intended still > available > and does it have the above sha256sum ? Apparently available from the VT link Steve gave with the following file names: 013167adc0b9fbc908390023f9c0780095

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

On Tue, 27 Sep 2016, Al Varnell wrote: > The signature is based on a 2240 byte file, so it is probably something > embedded in the PDF. Yes, the 2240 null byte file pdf51 is extracted by clamav from the pdf. --leave-temps and --debug can be used to show this and to obtain the file. md5sum

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

> > Confirmed FP I would say: > > https://virustotal.com/en/file/2f7eaacf490839d9c603736149286272aea4df46c0daf58f0c70062041c68230/analysis/ > > Agreed, above being the sha256sum of 2240 null bytes. The hit on the null bytes could of course be masking actual malware in the same container t

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

The signature is based on a 2240 byte file, so it is probably something embedded in the PDF. In any case, it needs to be uploaded to . Is the MD5 of the entire PDF 013167adb9fbc93923f9c0789599ec95, because Steve and I aren’t finding anything on VT with any dete

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

On Tue, September 27, 2016 8:39 am, David Shrimpton wrote: > Hi, > > > Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an > md5sum of a file containing 2240 null bytes only, so appears to be a broken > signature. > > It is causing false positives. Confirmed FP I would say: https://viru

[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

Hi, Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an md5sum of a file containing 2240 null bytes only, so appears to be a broken signature. It is causing false positives. The example I have was a FP on a 944010 byte pdf which comes up negative on virustotal except for clamav. --

[clamav-users] FP Win.Trojan.Agent-1395362

Hello, i think i have a FP to report. Virus Name is Win.Trojan.Agent-1395362, md5 is da295e46049561433ec860a92fb3b8de This is a javascript File which is included in Siquando Shopsystem. File can be viewed here: http://pastebin.com/raw/34fjq6bV I already reported this as FP at http://www.cla

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Yeah, sorry, I was swamped yesterday and didn’t get to follow up, we obviously dropped them both. -- Joel Esler Manager, Talos Group On Apr 21, 2016, at 4:08 AM, Al Varnell mailto:alvarn...@mac.com>> wrote: Looks like the other was dropped, as well in Daily:21500 Dropped Detection Signatur

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Looks like the other was dropped, as well in Daily:21500 > Dropped Detection Signatures: > >* Win.Trojan.Agent-1395005 > >* Win.Trojan.Agent-1395367 Sent from Janet's iPad -Al- On Apr 20, 2016, at 7:01 AM, Alain Zidouemba wrote: > Confirming the FP on MD5: 585005690e530e8047374cf14e47

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Hello, Am 20.04.2016 um 16:01 schrieb Alain Zidouemba: Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The signature Win.Trojan.Agent-1395367 has been removed. Thanks to all. Hajo ___ Help us build a comprehensive ClamAV guide: https://g

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The signature Win.Trojan.Agent-1395367 has been removed. - Alain On Wed, Apr 20, 2016 at 3:02 AM, Hajo Locke wrote: > Hello, > > there seems to be a new FP within a Wordpress Plugin. > Download ist here: > https://jetpack.com/install/?

Re: [clamav-users] FP Win.Trojan.Agent-1395367

This one was added on Friday in daily:21494 Similar results as before on VT: -Al- On Wed, Apr 20, 2016 at 01:45 AM, Hajo Locke wrote: > > Hello, > > Am 20.04.2016 um 09:31 schrieb H

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Hello, Am 20.04.2016 um 09:31 schrieb Hajo Locke: Hello, Am 20.04.2016 um 09:20 schrieb Al Varnell: The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP. Not sure what you mean by “automatic created md5 Signature” and given

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Hello, Am 20.04.2016 um 09:20 schrieb Al Varnell: The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP. Not sure what you mean by “automatic created md5 Signature” and given that it’s a JavaScript I don’t know how you can conc

Re: [clamav-users] FP Win.Trojan.Agent-1395367

The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP. Not sure what you mean by “automatic created md5 Signature” and given that it’s a JavaScript I don’t know how you can conclude it’s contents “looks ok”, but you did the right

[clamav-users] FP Win.Trojan.Agent-1395367

Hello, there seems to be a new FP within a Wordpress Plugin. Download ist here: https://jetpack.com/install/?from=wporg http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is reported as Win.Trojan.Agent-13

Re: [clamav-users] FP System

There actually is :). There are at least four parts to the FP reporting system, and I have my team on it. -- Joel Esler Manager, Talos Group On Feb 16, 2016, at 6:17 AM, Al Varnell mailto:alvarn...@mac.com>> wrote: Agree. We’ve been saying this for a couple of days now and Joel said yest

Re: [clamav-users] FP System

Agree. We’ve been saying this for a couple of days now and Joel said yesterday about this time "We're double checking everything.” Guess there’s a lot to check. -Al- On Feb 16, 2016, at 1:17 AM, Steve Basford wrote: > "Houston, we have a problem" aka The FP reporting system is broken. smi

[clamav-users] FP System

"Houston, we have a problem" aka The FP reporting system is broken. Here's a windows file which is repoting... ieinstal.exe: Win.Trojan.Win64-226 FOUND I ran freshclam... freshclam ClamAV update process started at Tue Feb 16 09:00:52 2016 main.cld is up to date (version: 55, sigs: 2424225, f-l

[clamav-users] Fp report

Just spotted this go report https://twitter.com/hanno/status/642067768616046592 Anyone else seeing issues: https://www.reddit.com/r/sysadmin/comments/3kg08m/gmail_flagging_company_docs_as_viruses_when/ ___ Help us build a comprehensive ClamAV guide:

Re: [clamav-users] FP Detection / Reclassify Request

Strange, that’s a very old signature and the size and MD5 for the .text PE portion of the file you uploaded to VirusTotal is an exact match. Wouldn’t be the first time an FP went undetected for that long, but still unusual. -Al= On Thu, Jul 16, 2015 at 04:35 PM, Joel Esler (jesler) wrote: > >

  1   2   >