Re: [clamav-users] False positive?

On Mon, 8 Apr 2024 11:26:15 -0400 Richard wrote: > After updating to the latest virus signature files using > freshclam, I am suddenly getting infected file reports > that I never got before. Almost certainly yes. This seems to happen periodically, for those same Python PIP exe files (which I

Re: [clamav-users] False positive?

There are also reports on Reddit today of ClamAV finding this: https://www.reddit.com/r/flatpak/comments/1byn8og/clamav_detecting_winvirusexpiro100265760_malware/?rdt=45424 One reply says: I ran one of the files tagged as a virus by Clamav through VirusTotal.com; out of 64 anti-virus

Re: [clamav-users] false positive

Dezember 23, 2022 um 16:54 (at 04:54 PM) +0100 Betreff / Subject: Re: [clamav-users] false positive On Dec 23, 2022, at 03:26, newcomer01 via clamav-users wrote: is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added? On 23.12.22 05:28

Re: [clamav-users] false positive

On Dec 23, 2022, at 03:26, newcomer01 via clamav-users wrote: is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added? On 23.12.22 05:28, Al Varnell via clamav-users wrote: A good start would be to tell us what the domain in question is.

Re: [clamav-users] false positive

A good start would be to tell us what the domain in question is. Sent from my iPad -Al- > On Dec 23, 2022, at 03:26, newcomer01 via clamav-users > wrote: > > Hi @ all, > > is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so > that an exception can be added? > >

Re: [clamav-users] False Positive?

Report Submitted! > On Aug 11, 2022, at 11:21 AM, Joel Esler via clamav-users > wrote: > > Exactly the only answer that is correct to this email. :) > >> On Aug 11, 2022, at 2:15 PM, Al Varnell via clamav-users >> wrote: >> >> Did you submit to >

Re: [clamav-users] False Positive?

Exactly the only answer that is correct to this email. :) > On Aug 11, 2022, at 2:15 PM, Al Varnell via clamav-users > wrote: > > Did you submit to ? > > -Al- > -- > ClamXAV user > > On Aug 11, 2022, at 11:01 AM, David Laxer

Re: [clamav-users] False Positive?

Did you submit to >? -Al- -- ClamXAV user On Aug 11, 2022, at 11:01 AM, David Laxer wrote: > Clamav 0.105.1 > > Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND > >

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. From: clamav-users on behalf of Yaron Elharar via clamav-users Sent: Monday, July 18, 2022 12:09 PM To: ClamAV users ML Cc: Yaron Elharar Subject: Re: [clamav-users] False positive, My program

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

gt; > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. > > -- > *From:* clamav-users on behalf of > Christopher Marczewski > *Sent:* Monday, July 11, 2022 4:48 PM > *To:* ClamAV users ML > *Subject:* Re: [clamav-u

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

. From: clamav-users on behalf of Christopher Marczewski Sent: Monday, July 11, 2022 4:48 PM To: ClamAV users ML Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 Looks like allmatch scanning may

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Looks like allmatch scanning may be confined to the PUA CVDs if the first signature alert is a PUA signature, as was the case here. PUA.Win.Packer.Exe-6 alerted on this sample during the report processing, but no additional signature alerted. A manual scan without PUA signatures enabled resulted

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Did anybody from the ClamAV team had the chance to take a look at this? On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote: > > > I've never seen a user post to that list and

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi there, On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote: I've never seen a user post to that list and I've subscribed to it for decades. My impression has always been it's for database update announcements only. You might be right Al but I took the URI from a list post and ISTR that

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

I've never seen a user post to that list and I've subscribed to it for decades. My impression has always been it's for database update announcements only. Sent from my iPad -Al- -- ClamXAV User > On Jul 9, 2022, at 09:44, Yaron Elharar via clamav-users > wrote: > > I didn't want to create

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Shouldn't make any difference as VirusTotal is likely using 0.105, but upgrading isn't up to me as that's something the ClamXAV developer will eventually get around to. Sent from my iPad -Al- -- ClamXAV User > On Jul 9, 2022, at 09:25, G.W. Haywood via clamav-users > wrote: > > A guess: I

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Thank you for taking a look, my understanding of this is also limited, but I'm using 0.105.0.0 With these signatures ClamAV update process started at Sat Jul 9 19:32:19 2022 daily.cvd database is up-to-date (version: 26596, sigs: 1989075, f-level: 90, builder: raynman) main.cvd database is

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi there, On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote: ... --- SCAN SUMMARY --- Known viruses: 12318966 Engine version: 0.104.1 ... ... it would appear that there is a valid False Positive entry in the database for four different files ... ... So why it's being

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

My capabilities for examining Windows files are extremely limited, given that I'm an AppleMac user, exclusively. Running clamscan --debug against the file I see the following near the end: > LibClamAV debug: FP SIGNATURE: > 95a6e35279662aa2f26d768b15091a55:4514540:Win.Dropper.Tinba-9943147-0

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

that correlates exactly to where it started happening  It's a pretty cool case converter called AnyCase https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1 "... but perhaps the above will allow you to track down what component of the

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi, Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline. And the signature is: % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs VIRUS NAME: Win.Dropper.Tinba-9943147-0 TDB:

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi there, On Sat, 9 Jul 2022, Yaron Elharar via clamav-users wrote: My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total File hash 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9 I've tried to reach out to the team through

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

"G.W. Haywood via clamav-users" writes: > Hi there, > > On Thu, 29 Apr 2021, Robert Kudyba wrote: > >> ... no error(s) when I just ran it manually. > > There are lots of things in the script which look likely to cause > issues, so I'd have expected something: > > 1. Is your Perl interpreter in

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On Thu, 2021-04-29 at 16:22 +0100, G.W. Haywood via clamav-users wrote: > > 3. What is uid 110 on your system? On my clamd server it's 'sshd'. > This means that if I were to run it as root as it is, the script would > change ownership of the modified files to the wrong user (which would > break

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/. > Thanks I saw that after the fact, indeed /usr/bin in Fedora 2. The environment is likely to be different when the script runs via > freshclam from when it runs at the command line, and it's usually bad > form in

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi there, On Thu, 29 Apr 2021, Robert Kudyba wrote: ... no error(s) when I just ran it manually. There are lots of things in the script which look likely to cause issues, so I'd have expected something: 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/. 2. The

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > > >> next if > /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; > > next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/; > > > > You could do better with a regex, see the excellent Perl documentation. > > > > So what's the syntax to use || (or) with

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert Kudyba writes: > >> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; > next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/; > > You could do better with a regex, see the excellent Perl documentation. > > So what's the syntax to use || (or)

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > On Thu, 29 Apr 2021, Olivier via clamav-users wrote: > > Robert Kudyba writes: > > > >> How would you make this work for docs.google.com as well? > >> > >> the following regex corresponds to >

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi there, On Thu, 29 Apr 2021, Olivier via clamav-users wrote: Robert Kudyba writes: How would you make this work for docs.google.com as well? the following regex corresponds to https://drive.google.com next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; If I

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > > How would you make this work for docs.google.com as well? > > > > the following regex corresponds to >

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert Kudyba writes: > [1:text/plain Show] > > > [2:text/html Hide Save:noname (3kB)] > > How would you make this work for docs.google.com as well? > > the following regex corresponds to https://drive.google.com > next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; If I

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

How would you make this work for docs.google.com as well? the following regex corresponds to https://drive.google.com next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; On Thu, Apr 29, 2021, 12:25 AM Olivier wrote: > Robert, > > In the configuration file user.conf for

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert, In the configuration file user.conf for ClamAV-unofficial-sig, I set the following variable: clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl" And the script is attached below. Best regards, Olivier clamav-unofficial-sigs-post.pl Description: Binary data --

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

I'd like the script and in our case the link starts with docs.google.com On Wed, Apr 28, 2021, 10:43 PM Olivier via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi, > > Robert Kudyba writes: > > > [1:multipart/alternative Hide] > > > > > > [1/1:text/plain Show] > > > > > >

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi, Robert Kudyba writes: > [1:multipart/alternative Hide] > > > [1/1:text/plain Show] > > > [1/2:text/html Hide Save:noname (3kB)] > > Since the signature name has .UNOFFICIAL and starts with MBL I believe that's > Malware Block List. I've > submitted a sample to fp (at) malwarepatrol.net. Is

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On 28 April 2021 15:25:32 Robert Kudyba wrote: Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't appear

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On Wed, Apr 28, 2021 at 4:25 PM Robert Kudyba wrote: > ... > sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs > ... and remember that --find-sigs takes a REGEX not a glob so perhaps you meant "MBL_85256034.*", although sigtools checks the entire entry so searching for 'MBL_85256034' is

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi there, On Wed, 28 Apr 2021, Robert Kudyba wrote: Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't

Re: [clamav-users] False positive on Heuristics.Phishing.Email.SSL-Spoof, no attachment

As you have noted, this is a common situation. Anytime the actual URL does not closely match the displayed URL you'll get an alert unless it has been added to an M or X signature in the database. I haven't been convinced that anybody is maintaining that list of exceptions, so disabling it is

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

Hi, > Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails > quarantined with > the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an > attachment of a > Google Drive folder. I reported this to the false positive at SaneSecurity > address. I also

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

On 24 March 2021 14:16:33 Robert Kudyba wrote: Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a Google Drive folder. Hi Robert, It's best to report this

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

Hi there, On Wed, 24 Mar 2021, Robert Kudyba wrote: Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a Google Drive folder. I reported this to the false

Re: [clamav-users] False positive (?) in check6_clamd_vg test

Citeren "Micah Snyder (micasnyd)" : Hi Arjen, I see what you're talking about. It is a little confounding. We have a valgrind suppression rule for this specific issue: https://github.com/Cisco-Talos/clamav-devel/commit/8cfec0b245abfac9564c11012d67b19da004e927 {

Re: [clamav-users] False positive (?) in check6_clamd_vg test

Hi Arjen, I see what you're talking about. It is a little confounding. We have a valgrind suppression rule for this specific issue: https://github.com/Cisco-Talos/clamav-devel/commit/8cfec0b245abfac9564c11012d67b19da004e927 { binhex-overlapping-memmove Memcheck:Overlap

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

The signature needs a little tweaking, and will be revised. Revision 0 (Txt.Coinminer.Generic-7132166-0) has been dropped and this will be reflected in the next signature update. - Alain On Tue, Aug 27, 2019 at 11:25 AM Brian Cole via clamav-users < clamav-users@lists.clamav.net> wrote: > > >

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Hi there, On Tue, 27 Aug 2019, Brian Cole via clamav-users wrote: ... we are seeing ClamAV think that CoinMiner virus exists in ... /var/log/sid_changes.log ... Would it not make more sense to exclude such files from your scans? -- 73, Ged. ___

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Brian, It’s a straight text search for 6 strings. Can’t send the decode because it will be caught in my outbound. # sigtool –find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool –decode-sigs Doesn’t seem extremely likely for a lot of false positives to me, but ymmv.

Re: [clamav-users] False Positive Detected - Win.Malware.Triusor-6824994-0

Hello Matt, Thanks for the report. We've dropped the signature & will investigate further. On Tue, Jan 22, 2019 at 7:43 AM Matt Muir wrote: > Hi all, > > I discovered a false positive detection of Win.Malware.Triusor-6824994-0 in > the database. Detection is occurring in fresh installs of

Re: [clamav-users] False positive

What is the md5? On Aug 3, 2018, at 2:36 AM, Groach mailto:groachmail-stopspammin...@yahoo.com>> wrote: An overnight scan has just pulled out a false positive on a program. Its against Winscp (file transfer program) that is a genuine download and been used for years. It's not the first

Re: [clamav-users] False positive -- I hope

I *think* that this signature flags *all* zipped JS files, and (IIRC) both Firefox and Thunderbird have JS-containing JAR files. I hope that is all it is. Yep that's it. Foxhole_filename. Foxhole_all. Foxhole_generic and Foxhole_js all have different fp levels...depending on what your see

Re: [clamav-users] False positive detection for a Valid File

Thanks for the suggestion. Already I've did what you said. Submitted here http://www.clamav.net/reports/fp with full signature name and no response. Hence posted here. On Fri, Aug 18, 2017 at 5:49 PM, Al Varnell wrote: > There are five different signatures for

Re: [clamav-users] False positive detection for a Valid File

There are five different signatures for Doc.Macro.Obfuscation-63x-x, so you need to specify exactly which one(s) is/are involved when you submit these files to . -Al- On Fri, Aug 18, 2017 at 04:51 AM, Vijayakumar U wrote > Dear Team, > > Few zip and xls

Re: [clamav-users] False Positive of IObit product by ClamAV

A.J., I'm not familiar with any of their Windows offerings, but their MacBooster products for macOS/OS X have long been classified as PUA by ClamXAV and other Mac malware scanners. Coco has made similar requests concerning MacBooster FP's. -Al- On Tue, Jul 25, 2017 at 09:34 PM, Arnaud Jacques

Re: [clamav-users] False Positive of IObit product by ClamAV

This signature has been dropped. -- Joel Esler | Talos: Manager | jes...@cisco.com On Mar 31, 2017, at 3:44 AM, Arnaud Jacques / SecuriteInfo.com > wrote: Received this message

Re: [clamav-users] False Positive of IObit product by ClamAV

On Fri, Mar 31, 2017 at 01:10 AM, Steve Basford wrote: > > On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote: >> Received this message : >> >> >> -- Message transmis -- >> >> This is Coco from IObit (www.iobit.com). >> >> >> Your program ClamAV reports

Re: [clamav-users] False Positive of IObit product by ClamAV

Coco You will need to upload at least one of those to in order for an investigation to be opened. -Al- On Fri, Mar 31, 2017 at 12:44 AM, Arnaud Jacques / SecuriteInfo.com wrote: > > Received this message : > > -- Message transmis -- > >

Re: [clamav-users] False Positive of IObit product by ClamAV

On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote: > Received this message : > > > -- Message transmis -- > > This is Coco from IObit (www.iobit.com). > > > Your program ClamAV reports the file RegistryDefragBootTime.exe as > Win.Trojan.Agent-5776271-0

Re: [clamav-users] false positive rate

I guess the first question is are you using official only signatures or do you use 3rd party ones... if so could you do a database list. Next, are you scanning files which are getting fps or are these files grabbed via http or proxy? Could you post sig names, filenames and hashes of a few of

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

The offending signature has been dropped from the signature set. This should be reflected shortly in an upcoming signature update. - Alain On Wed, Aug 10, 2016 at 6:10 AM, Al Varnell wrote: > The only way to be notified is if you submit a sample to the ClamAV False >

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On Wed, August 10, 2016 7:22 am, ANANT S ATHAVALE wrote: > Hi, > > > Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is > this a false positive? Finally got it... blank LibreOffice.doc file... blank.doc: Win.Exploit.CVE_2016_3316-1 I've added a whitelist entry to

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

The only way to be notified is if you submit a sample to the ClamAV False Positive site that I referenced earlier. Otherwise, you’ll just have to query the database periodically to see if and when it is removed or ignored. -Al- On Wed, Aug 10, 2016 at 02:32 AM, Robert Boyle wrote: > > Can

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On Wed, August 10, 2016 10:52 am, Jan-Pieter Cornet wrote: > On 10-8-16 08:22, ANANT S ATHAVALE wrote: > >> Hi, >> >> >> Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is >> this a false positive? > > Created a completely empty .doc file using LibreOffice on linux, and the >

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Am 10.08.2016 um 11:52 schrieb Jan-Pieter Cornet: On 10-8-16 08:22, ANANT S ATHAVALE wrote: Hi, Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a false positive? Yes. Created a completely empty .doc file using LibreOffice on linux, and the resulting file was

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On 10-8-16 08:22, ANANT S ATHAVALE wrote: > Hi, > > Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a > false positive? Yes. Created a completely empty .doc file using LibreOffice on linux, and the resulting file was recognized as Win.Exploit.CVE_2016_3316-1. This

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Am 10.08.2016 um 11:32 schrieb Robert Boyle: I see that you have added Win.Exploit.CVE_2016_3316-1 to whitelist.ign2 Can you please advise when this whitelist update is available to all users? you can place your own .ign2 file in the signature folder, that's the whole point of different

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Hi, I see that you have added Win.Exploit.CVE_2016_3316-1 to whitelist.ign2 Can you please advise when this whitelist update is available to all users? Thanks RB ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Signature was just added yesterday, so there’s a good chance. Be sure and submit a couple of samples to so that it can be taken care of for all. -Al- On Tue, Aug 09, 2016 at 11:22 PM, ANANT S ATHAVALE wrote: > > Hi, > > Most of the mails are marked with

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On 08/10/2016 08:22 AM, ANANT S ATHAVALE wrote: Hi, Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a false positive? seems so! added Win.Exploit.CVE_2016_3316-1 to whitelist.ign2 ___ Help us build a comprehensive ClamAV

Re: [clamav-users] False positive

On Feb 17, 2016, at 9:01 PM, Tsutomu Oyamada wrote: > A false positive which detects normal file as a malware > "win.Trojan.Bancos-2115" was occurred last week. > It was started CVD version 21359 and was fixed by 21362. > Could you tell us what was the cause of this false positive? Did you read

Re: [clamav-users] False positive on go source code using PUA

ok thank you. On Wed, Nov 4, 2015 at 2:55 PM, Al Varnell wrote: > By definition, there is no such thing as a False Positive PUA nor is PUA > considered to be infected. > . > > Based on the description of

Re: [clamav-users] False positive on go source code using PUA

By definition, there is no such thing as a False Positive PUA nor is PUA considered to be infected. . Based on the description of CVE-2012-1461 I’d guess it

Re: [clamav-users] False positive on go source code using PUA

On Wed, November 4, 2015 6:03 am, P K wrote: > Hi, > > > I tried clamdscan with PUA enabled on go source code and seen an error. > issue6550.gz: PUA.File.Exploit.CVE_2012_1461 https://www.virustotal.com/en/file/c809983cf1b4f11552a1880272e3002a963a39c453b4883bf47e5c2cfc8f2a47/analysis/1446632226/

Re: [clamav-users] - False Positive

Yes. /path/to/file: BC.Win.Exploit.CVE_2012_0167 FOUND The file was last changed in Mar 2015. This, in addition to the fact that the CVE dates back to the year 2012, seems to indicate a false positive to me. Cheers Ingo On 9 July 2015 at 15:37, Alain Zidouemba azidoue...@sourcefire.com wrote:

Re: [clamav-users] - False Positive

The file has been subject to daily scanning since Mar 2015. According to the mtime, the file has not been changed since. However, the positive finding from ClamAV occurred just yesterday. That's why it seems to me that this might be a false positive. Please let me know what you think. Cheers

Re: [clamav-users] - False Positive

I’m not sure why you would consider a 2012 CVE to be an indicator of a false positive. Have you read the vulnerability description? https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0167 If that document contains an EMF image it could cause a heap-based buffer overflow in those older,

Re: [clamav-users] - False Positive

I used to be able to scan the database to determine when each signature was added, but that list has been eliminated so I can’t verify, but when an older file is suddenly identified as infected, my first thought is that this must be a new signature. Just because the vulnerability has been

Re: [clamav-users] - False Positive

Can you provide the detection name that ClamAV displayed? Thanks, - Alain On Thu, Jul 9, 2015 at 7:43 AM, Ingo Bente ingo.be...@gmail.com wrote: I am seeing the same finding. Since yesterday's daily update. I cross checked the respective file with Gmail, Avast, Avira and Windows Defender.

Re: [clamav-users] - False Positive

Ingo, It looks like this sig was originally published on June 11th, 2015. We dropped the signature this afternoon to review why it triggered a false positives. Thank you for making us aware of this issue. Please let us know if there are any other issue. Thanks again, Shaun Hurley ClamAV

Re: [clamav-users] - False Positive

On 08/07/15 11:02, Andrew Carter wrote: Hi , I am seeing Word documents coming up with a virus - BC.Win.Exploit.CVE_2012_0167 but only clam is detecting this. Can this be fixed? Thanks, Andrew _ This email has

Re: [clamav-users] - False Positive

If one of the documents doesn't contain sensitive information, can you submit here? http://www.clamav.net/report/report-fp.html Thanks, - Alain On Tuesday, July 7, 2015, Andrew Carter andrew.car...@smxemail.com wrote: On 08/07/15 11:02, Andrew Carter wrote: Hi , I am seeing Word

Re: [clamav-users] False positive for sure

That's a PUA alert. That's not on by default. -- Joel Esler Sent from my iPhone On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: Greetings; This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz:

Re: [clamav-users] False positive for sure

On Wednesday 03 September 2014 06:51:45 Joel Esler (jesler) did opine And Gene did reply: That's a PUA alert. That's not on by default. Ok, I'll byte, whats a PUA? -- Joel Esler Sent from my iPhone On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: Greetings;

Re: [clamav-users] False positive for sure

On 03.09.14 10:51, Joel Esler (jesler) wrote: That's a PUA alert. That's not on by default. well, if it's THE .tar.gz that caused the PUA alert, it apparently should be ignored. On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: This report from last nights clamscan is

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 11:56 am, Gene Heskett wrote: Ok, I'll byte, whats a PUA? Here's a good description... Q. What is a Potentially Unwanted Application (PUA)? A. The Sophos definition of a PUA is (quote) a term used to describe an application that is not inherently malicious, but is

Re: [clamav-users] False positive for sure

On Wednesday 03 September 2014 06:57:59 Matus UHLAR - fantomas did opine And Gene did reply: On 03.09.14 10:51, Joel Esler (jesler) wrote: That's a PUA alert. That's not on by default. well, if it's THE .tar.gz that caused the PUA alert, it apparently should be ignored. On Sep 3, 2014,

Re: [clamav-users] False positive for sure

On Wednesday 03 September 2014 07:01:00 Steve Basford did opine And Gene did reply: On Wed, September 3, 2014 11:56 am, Gene Heskett wrote: Ok, I'll byte, whats a PUA? Here's a good description... Q. What is a Potentially Unwanted Application (PUA)? A. The Sophos definition of a PUA is

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 12:38 pm, Gene Heskett wrote: So as its been yonks since I setup the daily machine scan, where do I turn off this particular PUA feature? ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Cheers, Steve Sanesecurity

Re: [clamav-users] False positive for sure

On Wednesday 03 September 2014 07:41:36 Steve Basford did opine And Gene did reply: On Wed, September 3, 2014 12:38 pm, Gene Heskett wrote: So as its been yonks since I setup the daily machine scan, where do I turn off this particular PUA feature? ”—detect-pua” switch for clamscan or

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote: ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. Also its reported as version 98.1. If you are using clamscan then I guess you've got a

Re: [clamav-users] False positive for sure

We're working on some signatures for our users who run ClamAV on their mail servers. We'll be tweaking them over the next few weeks to minimize false positives, but with loose signatures like this, it is difficult to eliminate them completely. If you're not concerned about double extension files

Re: [clamav-users] False positive for sure

On Wednesday 03 September 2014 10:44:21 Douglas Goddard did opine And Gene did reply: We're working on some signatures for our users who run ClamAV on their mail servers. We'll be tweaking them over the next few weeks to minimize false positives, but with loose signatures like this, it is

Re: [clamav-users] false positive sample

On Aug 22, 2014, at 8:24 PM, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: On Fri 22.Aug.14 15:36, Al Varnell wrote: On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet.

Re: [clamav-users] false positive sample

On Aug 22, 2014, at 6:44 PM, Daniel Quintiliani d...@runbox.commailto:d...@runbox.com wrote: On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it

Re: [clamav-users] false positive sample

Hi there, On Mon, 25 Aug 2014, it was difficult to figure out who wrote: Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought

Re: [clamav-users] false positive sample

On Mon, 25 Aug 2014 13:17:23 +, Joel Esler (jesler) jes...@cisco.com wrote: We’re currently working on a better way to report false positives, so hopefully we’ll see some resolution to the issue soon, but by all means, if you have FP reports, please report them via the website and

Re: [clamav-users] false positive sample

On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it quickly. Also, on the web form when

Re: [clamav-users] false positive sample

On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says notify me. It would

Re: [clamav-users] false positive sample

On Fri 22.Aug.14 15:36, Al Varnell wrote: On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it

Re: [clamav-users] False Positive File Decompression errors

Hi, We have 2 issues with Clamav. 1) We've been receiving false positive alerts. I have also submitted false positives many a times but I haven't received any response from clam av team. Please can you suggest a fix for this. I have upgraded the AV to latest, updated the virus

  1   2   3   >