In all likelihood, it means that a GET or POST payload contained the signature. Whether or not the request containing the signature was successful in injecting it into your site is a question that only you will be able to answer.
You can use sigtool to find the signature and again to decode the signature to see what it's detecting to help you identify the particular request(s) to investigate further. $ sigtool --find-sigs Php.Trojan.MSShellcode-81 | awk '{ print $2 }' | sigtool --decode-sigs VIRUS NAME: Php.Trojan.MSShellcode-81 TARGET TYPE: ANY FILE OFFSET: * ... On Mon, Jul 12, 2021 at 10:44 AM Michael Wang <mw...@unixlabplus.com> wrote: > Clamscan detested a virus in Microsoft Internet Information Services 8.5 > log file: > > *C:\inetpub\logs\LogFiles\W3SVC1\u_exNNNNNN.log: Php.Trojan.MSShellcode-81 >> FOUND* >> > > I looked at the file manually, it consists of comments and GET and POST > messages. How do I determine if this is a real or false positive? The > files are dynamic and new files will be generated, how are my options? > Thanks. > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml