Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

No, Daily - 22782 says Win.Trojan.Toa-5368540-0 is a New signature, not one of the 11,296 dropped. -Al- On Mon, Dec 26, 2016 at 08:11 PM, Joel Esler (jesler) wrote: > > I believe that signature has been dropped. smime.p7s Description: S/MIME cryptographic signature _

Re: [clamav-users] Usage questions on local.ign2

On Mon, Dec 26, 2016 at 08:24 PM, Mark Foley wrote: > > For my clamscan cron job, I turned on --detect-pua=yes. While it did detect > some > genuinely infected files, it also turned up a lot of false positives for > PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. > > In s

[clamav-users] Usage questions on local.ign2

For my clamscan cron job, I turned on --detect-pua=yes. While it did detect some genuinely infected files, it also turned up a lot of false positives for PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. In searching for a way to block just these specific PUA signatures, I fou

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

I believe that signature has been dropped. -- Sent from my iPhone > On Dec 26, 2016, at 11:08 PM, Christian Balzer wrote: > > > Hello, > >> On Tue, 27 Dec 2016 03:06:31 + Joel Esler (jesler) wrote: >> >> We QA against thousands of clean files for each signature. But we don't >> have

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Hello, On Tue, 27 Dec 2016 03:06:31 + Joel Esler (jesler) wrote: > We QA against thousands of clean files for each signature. But we don't have > s copy of every foe in the world to QA against. > > When people send in false positives, if we determine them to be actually > clean, we add

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

We QA against thousands of clean files for each signature. But we don't have s copy of every foe in the world to QA against. When people send in false positives, if we determine them to be actually clean, we add them to the FP farm as well. That's why FPs are important to send in, not just

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Hello Al, On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: > Although most, if not all the Win.Trojan.Toa old signatures were either > dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so > that would appear to be a new issue. > Be that as it may, I'd say this isn't a

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Although most, if not all the Win.Trojan.Toa old signatures were either dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would appear to be a new issue. -Al- On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: > > Hello, > > On Mon, 26 Dec 2016 19:21:25 -0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Hello, On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: > > On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > > In keeping with the other false positive reports I have more than 400 > > CentOS servers report below after yesterday's freshclam update: > > Yes, nashorn.jar seems to

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > In keeping with the other false positive reports I have more than 400 > CentOS servers report below after yesterday's freshclam update: Yes, nashorn.jar seems to get hit too... eg: fp2\11476331d01: Win.Trojan.Toa-5372078-0 fp2\200ENGI.EXE

[clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

In keeping with the other false positive reports I have more than 400 CentOS servers report below after yesterday's freshclam update: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.el7_2.x86_ 64/jre/lib/ext/nashorn.jar: Win.Trojan.Toa-5370166-0. Believe this is a false positive Would like confi

Re: [clamav-users] More fp's.

We are seeing the FPs and are in the process of addressing them. Please keep reporting them. - Alain On Mon, Dec 26, 2016 at 8:11 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote: > > Just run freshclam... > > fp\Aston Villa

Re: [clamav-users] More fp's.

On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote: Just run freshclam... fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\im

Re: [clamav-users] More fp's.

$ sw_vers ProductName:Mac OS X ProductVersion: 10.12.2 BuildVersion: 16C67 $ cat /Users/$USER/Library/Logs/ClamXavSentry-scan.log | grep FOUND /Applications/Firefox.app/Contents/Resources/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /Applications/Firefox.app/Contents/Resources/browser/omni.ja:

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

Four have already been dropped and I’m sure there will be more to come. It will go faster if you submit samples to and post a hash back here of the file(s) you uploaded. -Al- On Mon, Dec 26, 2016 at 02:43 AM, Frank Sfalanga Jr. wrote: > > This includes .jar z

[clamav-users] More fp's. Now its almost everything that has been zipped.

This includes .jar zips. I am seeing this across dozens of GNU/Linux servers. Other than --exclude=*.jar what else can be done to fix these fp's? === /home/ddale/.gradle/wrapper/dists/gradle-1.10- bin/6oa4rff9viiqskhgd6uns5v1f8/gradle-1.10/lib/plug