Hi list, Seem to me that the signature for this virus have to be reworked somehow. It is throwing lots of FP on Linux developer workstations.
Here's the output from last nights scan: /snap/code/23/usr/share/code/code: Unix.Trojan.Mirai-5932143-0 FOUND /snap/spotify/36/usr/share/spotify/libcef.so: Unix.Trojan.Mirai-5932143-0 FOUND /snap/bitwarden/21/bitwarden: Unix.Trojan.Mirai-5932143-0 FOUND /snap/slack/21/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND /opt/google/chrome-beta/chrome: Unix.Trojan.Mirai-5932143-0 FOUND /opt/google/chrome/chrome: Unix.Trojan.Mirai-5932143-0 FOUND Microsoft Visual Code (snap version) Spotify (snap version) Bitwarden (snap version) Slack (snap version) Google Chrome stable and beta from Google repository. I unpacked the daily database and searched for this virs and found this in daily.ldb: Unix.Trojan.Mirai-5932143-0;Engine:51-255,Target:6;0&1&(2>1)&(3>1);75726c3d;2f63646e2d6367692f;504f5354;7761746368646f67 I opened up one of the "infected" files in a hexeditor and searched for the above patterns. Here are the clear text of what this signature searches for to trigger alert: url= /cdn-cgi/ POST watchdog Personally I think it's unreasonable to trigger virus alert just because you can find the above strings in a binary. I think this rule should be deleted until it's fixed. Best regards, Mikael Bak _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
