Sebastian, Al's answer is on the right track. The Heuristic.Broken.Executable alert is only appearing because your scan has the "detect-broken" flag enabled, and the scan is detecting what appears to be a broken executable inside that jar file. Scans of the file without that flag enabled must be reporting clean.
If you do have trouble with submitting a FP report, we need another way to get the file. Since you provided a publicly accessible URL to the file (thanks for that, by the way), we can download it and take a look from there. If you decide you want to whitelist a specific file, you can write your own FP signature for the file and add it to your own database folder. Place it in a file with a ".fp" extension, and the file that matches that hash and filesize will stop alerting. More details are in the ClamAV signatures.pdf document in Section 3.8. Hope this helps, Dave R. On Tue, Oct 8, 2013 at 12:41 PM, Al Varnell <[email protected]> wrote: > I’m not an expert on this, but it seems to be that by definition > “Heuristic” detections cannot be false positives. They aren’t positive at > all, just warnings of something suspicious. They don’t match any specific > signature and are handled by a separate heuristics engine. > > BTW, in scanning the file with ClamXav (OS X) I don’t get any kind of > detection. > > > -Al- > -- > Al Varnell > Mountain View, CA > > On Oct 8, 2013, at 8:39, Sebastian Cherlo <[email protected]> wrote: > > > Hello , i'm new in this list , i'll explain my configuration and my > problem. > > > > I have a Centos 5.9 server with ClamAV 0.98/17947 with c-icap working > together with squid 3.1.20 , i use the official database and every hour i > do a freschclam by cron. > > There is a file ( > http://central.maven.org/maven2/net/java/dev/jna/jna/3.4.0/jna-3.4.0.jar) > that is being detected as a heuristic broken executable but when i try to > send it like a false positive the official web page says that do no detect > anything , that i must update my database (is up to date) or if i use a not > official database i must contact the author (i use the official database) , > what is the problem? how can i fix it? > > thanks, i'll wait your answer. > > > > -- > > > > Mariano Sebastian Cherlo > > Administrador de Redes e Internet > > Gerencia de Sistemas > > (54)11 6009-1600 Int:9101 > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/support/ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > -- --- Dave Raynor Sourcefire Vulnerability Research Team [email protected] _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
