Mark, Thanks. I’ve set these to drop, so they should disappear in an upcoming release.
Not sure why they were convicted in the first place, I have safe guards that should have prevented this, I’ll look into it. -- Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com> On Nov 23, 2016, at 6:04 AM, Mark Allan <markjal...@gmail.com<mailto:markjal...@gmail.com>> wrote: Thanks for dropping those 3, Joel, however there are still at least 24 signatures causing problems: Html.Malware.Agent-1835906 Txt.Malware.Agent-1835883 Txt.Malware.Agent-1835884 Txt.Malware.Agent-1835885 Txt.Malware.Agent-1835886 Txt.Malware.Agent-1835887 Txt.Malware.Agent-1835888 Txt.Malware.Agent-1835889 Txt.Malware.Agent-1835890 Txt.Malware.Agent-1835891 Txt.Malware.Agent-1835892 Txt.Malware.Agent-1835893 Txt.Malware.Agent-1835894 Txt.Malware.Agent-1835896 Txt.Malware.Agent-1835898 Txt.Malware.Agent-1835899 Txt.Malware.Agent-1835900 Txt.Malware.Agent-1835901 Txt.Malware.Agent-1835902 Txt.Malware.Agent-1835903 Txt.Malware.Agent-1835904 Txt.Malware.Agent-1835905 Txt.Malware.Agent-1838194 Txt.Malware.Agent-1838195 Given the vast majority of those are consecutive numbers, it looks like someone has uploaded the entire OpenLayers library and tried to report it as infected. Best regards Mark On 22 Nov 2016, at 9:42 pm, Al Varnell <alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote: I see that Daily - 22584 drops three of them: * Txt.Malware.Agent-1811885 * Txt.Malware.Agent-1835895 * Txt.Malware.Agent-1835897 -Al- On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote: I am seeing these mostly on files that comprise the OpenLayers library in phpMyAdmin 4. On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) <jes...@cisco.com<mailto:jes...@cisco.com>> wrote: Mark, Thanks for the feedback, you are right, I am experiencing some high counts in the Txt.Malware.Agent family. I’ve disabled this engine for now. -- Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com> On Nov 22, 2016, at 12:02 PM, Mark Allan <markjal...@gmail.com<mailto:markjal...@gmail.com><mailto:m arkjal...@gmail.com<mailto:arkjal...@gmail.com>>> wrote: Hi all, I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7] containing a number of files which ClamAV incorrectly detects as various strains of Txt.Malware.Agent My experience may be slightly skewed, but it seems that the rate of FPs has increased a lot lately, and they mostly appear to be being caused by hash-based signatures. I'm wondering if this is related to Joel's recent admission that the signature generation process is almost entirely automated now. Is it possible that someone is targeting ClamAV and reporting known-clean files as if they were infected? To what end, I'm not sure, but I can't shake the feeling that something's not right... Mark _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net><mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
