Hi there,
On Fri, 22 Jul 2022, Thomas Barth via clamav-users wrote:
I use ClamAV unofficial signatures and it seems that I get a false positiv ...
I think you're probably right, but to get a dozen or so other opinions
you can submit the file to VirusTotal or Jotti's Malware Scan:
https://www.virustotal.com
https://virusscan.jotti.org
... and some other errors.
[more yyerror() ]
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389 duplicate
identifier "zeroaccess_js4"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414 duplicate
identifier "zerox88_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444 duplicate
identifier "zerox88_js3"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472 duplicate
identifier "zeus_js"
LibClamAV Warning: load_oneyara: yara rule contains too many subsigs (1019,
max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules from
file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.
I've seen more than one version of the rfxn.yara signature file.
Having said that I don't see the problem that you've found. In case
it helps you, here's the directory listing and md5sum of the file
currently in use here. It's pretty old, and I can't say that I've
noticed very many useful detections from it.
8<----------------------------------------------------------------------
Downloaded from https://cdn.rfxn.com/downloads/maldet-sigpack.tgz:
$ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
-rw-r--r-- 1 clamav clamav 410441 Aug 17 2020 rfxn.yara
c8303441af0e8fac43cea4d8fb3dc5f7 rfxn.yara
783
$
8<----------------------------------------------------------------------
There's a 'current' version on the 'www' site which is even older:
8<----------------------------------------------------------------------
Downloaded from http://www.rfxn.com/downloads/maldetect-current.tar.gz:
$ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
-rw-r--r-- 1 clamav clamav 408598 Jul 4 2019 rfxn.yara
25a92fee1f45b81cfa8ba98cf1bc8e3e rfxn.yara
777
$
8<----------------------------------------------------------------------
To the best of my knowlege I've had no response from the author when
I've tried to contact him.
Where did you get your copy from? Check that it isn't damaged, if it
is I suggest that you move it out of your ClamAV signature directory
and try another copy.
/root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND
I haven't used malwarepatrol since 2013 so I can't help with that signature.
Are you sure you want to do all this with root permissions? :)
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
