Thanks Al.
Little bit of background, when a false positive report comes for a sample, it’s tagged under that specific signature in our system. So if you file a false positive, it specifically comes up as a false positive in the system (I say this so that people don’t think we go back through and scan the billions of malware samples we have every time we push an update. -- Joel Esler Manager, Talos Group On Jan 21, 2016, at 7:46 AM, Al Varnell <[email protected]<mailto:[email protected]>> wrote: Done. -Al- On Jan 21, 2016, at 4:06 AM, Joel Esler (jesler) wrote: Please? Sent from my iPhone On Jan 21, 2016, at 3:07 AM, Al Varnell wrote: Yes, I did receive feedback the same day that Win.Adware.Softpulse-215 had been removed and I can confirm that all the others mentioned below except for Swf.Exploit.CVE_2015_5122-1 have been removed, so I’ll try to pursue that last one. But now those three files are being identified as Win.Trojan.Agent-953878. Should I resubmit the file with that infection name? -Al- I have been told that all of these have been corrected already. Joel Esler Manager, Threat Intelligence Team & Open Source Talos Group http://www.talosintel.com On Jan 18, 2016, at 1:51 AM, Al Varnell <[email protected]> wrote: I’m hearing from a couple of ClamXav users that several applications are being identified as infected with Win.Adware.Softpulse-215. All these applications contain the StuffIt framework. I’ve uploaded the StuffIt Expander.app.zip to the ClamAV FP page with MD5 44f5ab1439a9c9c06b46aeb31b265e1e which included infected frameworks as follows: (/Applications/StuffIt Expander.app/Contents/Frameworks/StuffIt.framework/Versions/B/Resources/[self]sit5.exe) = ebe780c5859a324995f9603276e5b4fa (/Applications/StuffIt Expander.app/Contents/Frameworks/StuffIt.framework/Versions/B/Resources/[self]sitx.exe) = a9d1a8144b8ce0b3637ab11dcd48638d (/Applications/StuffIt Expander.app/Contents/Frameworks/StuffIt.framework/Versions/B/Resources/[self]zip.exe) = 7f55eba65a7a91081f2a8ecaa4bf5dc7 For some reason VirusTotal ClamAV identifies it as Win.Adware.Softpulse-218 <https://www.virustotal.com/en/file/9bca9c9581182d3d6ed015179a12f68c94fa21b11cb3ef98a16265cd70fd7032/analysis/1453098213/> This definition was included in Friday’s daily.cvd Version: 21262, and I have received additional reports of FP’s on the following signatures but do not have access to samples at this time: Adware.Browsefox-12346 Win.Trojan.Agent-953862 Win.Adware.Agent-59030 Swf.Exploit.CVE_2015_5122-1 -Al- _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
