We QA against thousands of clean files for each signature. But we don't have s copy of every foe in the world to QA against.
When people send in false positives, if we determine them to be actually clean, we add them to the FP farm as well. That's why FPs are important to send in, not just to clean current FPs, but to prevent future ones. -- Sent from my iPhone > On Dec 26, 2016, at 9:27 PM, Christian Balzer <ch...@gol.com> wrote: > > > Hello Al, > >> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: >> >> Although most, if not all the Win.Trojan.Toa old signatures were either >> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so >> that would appear to be a new issue. >> > Be that as it may, I'd say this isn't a new issue as such but a > continuation of what is clearly insufficient QA with these signatures. > > I'd love to be more helpful, but since this are large mails I don't have a > complete bounce (Exim suppresses those over 100KB) and I don't have easy > access to any of the senders. > But it's with near certainty some attachment in a MS file format that > triggers these. > > Regards, > > Christian > >> -Al- >> >>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: >>> >>> Hello, >>> >>>> On Mon, 26 Dec 2016 19:21:25 -0000 Steve Basford wrote: >>>> >>>> >>>>> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: >>>>> In keeping with the other false positive reports I have more than 400 >>>>> CentOS servers report below after yesterday's freshclam update: >>>> >>>> Yes, nashorn.jar seems to get hit too... >>>> >>>> eg: >>>> >>>> fp2\11476331d01: Win.Trojan.Toa-5372078-0 >>>> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 >>>> fp2\3A627716d01: Win.Trojan.Toa-5372078-0 >>>> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >>>> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 >>>> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 >>>> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 >>>> >>>> and the earlier reported FP's are still there: >>>> >>>> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 >>>> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 >>>> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 >>>> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >>>> fp\omni.ja: Win.Trojan.Toa-5370166-0 >>>> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 >>>> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 >>>> >>>> etc. >>>> >>>> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing >>>> done >>>> in full after holidays. >>>> >>> I can only second that. >>> And add Win.Trojan.Toa-5368540-0 to the list of FPs. >>> >>> At this rate the previous bit about "Clamscan becoming its own worst >>> enemy." can not be underestimated. >>> This is the 2nd, VERY visible FP avalanche in so many months and since it >>> affects a lot of people here including internal business mails. >>> Reflecting badly on all OSS projects and SW. >>> >>> Christian >>> >>>> As the issues go on... >>>> >>>> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 >>>> >>>> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 > > > -- > Christian Balzer Network/Systems Engineer > ch...@gol.com Global OnLine Japan/Rakuten Communications > http://www.gol.com/ > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
