I look lik i am still getting this false positive ? # clamscan --version ClamAV 0.96.1/11354/Mon Jul 12 11:19:05 2010 # freshclam ClamAV update process started at Mon Jul 12 12:39:10 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) daily.cvd is up to date (version: 11354, sigs: 102409, f-level: 53, builder: ccordes) bytecode.cld is up to date (version: 31, sigs: 7, f-level: 53, builder: nervous) # rpm -qa | grep clam clamav-0.96.1-1.el5.rf clamav-db-0.96.1-1.el5.rf clamd-0.96.1-1.el5.rf
# clamscan xxx.ppt xxx.ppt: BC.Exploit.CVE_2010_0815.Exploit.CVE_2010_0815 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 806430 Engine version: 0.96.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 8.23 MB Data read: 3.64 MB (ratio 2.26:1) Time: 7.781 sec (0 m 7 s) PPT is really clean: http://www.virustotal.com/analisis/434d8b7c9c87d82ff08625e322df459c66899132e5b12815ea94c47d13bedb6e-1278930900 thanks in advance. Ewald... > I've just updated the detection for CVE-2010-0815. The possible false > positive you reported was actually a false positive and had to do with > the fact that .ppt file was fragmented. > > The updated detection for CVE-2010-0815 should be released in the next 24h. > > Thanks, > > -Alain > > On Tue, Jun 29, 2010 at 10:20 AM, Alain Zidouemba <[email protected]> > wrote: > > Looking into it now. Will let you know. > > > > -Alain > > > > On Tue, Jun 29, 2010 at 9:15 AM, Trevor Cotton <[email protected]> > > wrote: > >> Today clamAV has started reporting BC.Exploit.CVE_2010_0815 found in a > >> .ppt file we have had since March last year. > >> Running ClamAV Engine 0.96.1 on RHEL with latest signatures. > >> McAfee on the windows side says the file is clean. > >> Any ideas? > >> > >> Thank You, > >> > >> Trevor > >> > >> Freshclam says > >> ClamAV update process started at Tue Jun 29 04:02:23 2010 > >> main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: > >> sven) > >> Trying host db.us.clamav.net (208.72.56.53)... > >> Downloading daily-11277.cdiff [*] > >> daily.cld updated (version: 11277, sigs: 99038, f-level: 53, builder: > >> arnaud) > >> bytecode.cvd is up to date (version: 28, sigs: 6, f-level: 53, builder: > >> nervous) > >> Database updated (803771 signatures) from db.us.clamav.net (IP: > >> 208.72.56.53) > >> Clamd successfully notified about the update. > >> > >> -- Ewald Beekman, CISSP. Academic Medical Center, NL _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
