The offending signature will be dropped in the next daily.cvd and revised. Until then, I'd suggest adding it to your local ignore database (.ign2). See https://www.clamav.net/documents/whitelist-databases for more information.
Thanks, demonduck On Wed, Feb 5, 2020 at 8:16 AM Mikael Bak <[email protected]> wrote: > Hi list, > > Seem to me that the signature for this virus have to be reworked > somehow. It is throwing lots of FP on Linux developer workstations. > > Here's the output from last nights scan: > > /snap/code/23/usr/share/code/code: Unix.Trojan.Mirai-5932143-0 FOUND > /snap/spotify/36/usr/share/spotify/libcef.so: Unix.Trojan.Mirai-5932143-0 > FOUND > /snap/bitwarden/21/bitwarden: Unix.Trojan.Mirai-5932143-0 FOUND > /snap/slack/21/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND > /opt/google/chrome-beta/chrome: Unix.Trojan.Mirai-5932143-0 FOUND > /opt/google/chrome/chrome: Unix.Trojan.Mirai-5932143-0 FOUND > > Microsoft Visual Code (snap version) > Spotify (snap version) > Bitwarden (snap version) > Slack (snap version) > Google Chrome stable and beta from Google repository. > > I unpacked the daily database and searched for this virs and found > this in daily.ldb: > > Unix.Trojan.Mirai-5932143-0;Engine:51-255,Target:6;0&1&(2>1)&(3>1);75726c3d;2f63646e2d6367692f;504f5354;7761746368646f67 > > I opened up one of the "infected" files in a hexeditor and searched > for the above patterns. Here are the clear text of what this signature > searches for to trigger alert: > > url= > /cdn-cgi/ > POST > watchdog > > Personally I think it's unreasonable to trigger virus alert just > because you can find the above strings in a binary. I think this rule > should be deleted until it's fixed. > > Best regards, > Mikael Bak > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
