Re: [clamav-users] Win.Exploit.CVE_2019_0758-6968262-1 - VERY false positives

2019-06-03 Thread Al Varnell via clamav-users 
You must unsubscribe yourself at the bottom of this page:
>

-Al-

> On Jun 3, 2019, at 12:54, Roberto Mazzini  wrote:
> 
> unsubscribe
> 



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.CVE_2019_0758-6968262-1 - VERY false positives

2019-06-03 Thread Roberto Mazzini 

unsubscribe

On 02/06/19 18:26, Groach via clamav-users wrote:

This has since been proven ok.?? The FP's stopped last week.

Thanks


02/06/19 17:25

On 27/05/2019 13:34, Tuomo Soini wrote:

On Mon, 27 May 2019 12:47:13 +0200
Andrea Venturoli  wrote:


On 5/27/19 11:38 AM, Groach via clamav-users wrote:

Since 25th May, my email system (according to this new signature)
is rife with a virus that didnt (and still doesnt) exist in these
historic emails.?? These emails (an extract of the scan results is
shown below) have PDF's in them but are without risk.?? Can we drop
this signature please?

I agree.
I had to whitelist this sig.

That signature was dropped in daily 25462 so updating database should
be enough now.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Roberto Mazzini

Giolli coop

--
Giolli Società Cooperativa Sociale
Centro permanente di ricerca e sperimentazione teatrale
sui metodi Boal e Freire
Via Chiesa, 12
43022 Montechiarugolo (PR)
telefax: 0521-686385
e-mail: segrete...@giollicoop.it
web: www.giollicoop.it
FaceBook: CooperativaGiolli

_
PRIVACY

Ai sensi e per effetti della Legge sulla tutela della riservatezza personale 
(D. Lgs. 196/03),
questa mail è destinata unicamente alle persone sopra indicate e le 
informazioni in essa contenute
sono da considerarsi strettamente riservate. E' proibito leggere, copiare, 
usare o diffondere il
contenuto della presente missiva senza autorizzazione.
Se avete ricevuto questo messaggio per errore, siete pregati di distruggerlo 
immediatamente.

Confidentiality Notice:
This message, together with its annexes, contains information to be deemed 
strictly confidential
and is destined only to the addressee(s) identified above who only may use, 
copy and, under his/their
responsibility, further disseminate it. If anyone received this message by 
mistake or reads it without
entitlement is forewarned that keeping, copying, disseminating or distributing 
this message to persons
other than the addressee(s) is strictly forbidden and is asked to transmit it 
immediately to the sender
and to erase the original message received.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.CVE_2019_0758-6968262-1 - VERY false positives

2019-06-03 Thread Groach via clamav-users 

This has since been proven ok.  The FP's stopped last week.

Thanks


02/06/19 17:25

On 27/05/2019 13:34, Tuomo Soini wrote:

On Mon, 27 May 2019 12:47:13 +0200
Andrea Venturoli  wrote:


On 5/27/19 11:38 AM, Groach via clamav-users wrote:

Since 25th May, my email system (according to this new signature)
is rife with a virus that didnt (and still doesnt) exist in these
historic emails.  These emails (an extract of the scan results is
shown below) have PDF's in them but are without risk.  Can we drop
this signature please?

I agree.
I had to whitelist this sig.

That signature was dropped in daily 25462 so updating database should
be enough now.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Faux positif ClamAV

2019-06-03 Thread Arnaud Jacques 

Hello Lionel,


L'exécutable en question est le fichier "*jfxrt.jar*" (Java FX Runtime 
JAR File) et il est considéré comme "*PUA.Andr.Adware.Dowgin-6888245-0*" 
par ClamAV alors qu'aucun autre antivirus ne le voit comme une menace 
(testé avec VirusTotal).


If you look at the screenshot of Virustotal you sent, you can see that 
Clamav does not detect the sample.


On my own Linux computer I cannot reproduce your problem :

# sha256sum jfxrt.jar
2a554529f3556cc79c2e42e22a467cc5f189bd2c73ba626cf66908a1d6474034  jfxrt.jar

# clamscan -V
ClamAV 0.100.3/25468/Sun Jun  2 10:00:03 2019

# clamscan --detect-pua jfxrt.jar --max-filesize=30 
--max-scansize=30 --max-scriptnormalize=30 
--max-htmlnormalize=30 --max-recursion=30 --max-embeddedpe=300M

jfxrt.jar: OK

--- SCAN SUMMARY ---
Known viruses: 8924964
Engine version: 0.100.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 26.12 MB
Data read: 17.59 MB (ratio 1.48:1)
Time: 114.523 sec (1 m 54 s)

Are you up-to-date ? What is your version of Clamav ? What is your 
version of signature databases ?



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Faux positif ClamAV

2019-06-03 Thread Lionel PONCELET via clamav-users 
Bonjour,

Cela fait plusieurs semaines que je déclare un faux positif que nous avons
détecté depuis la version "*25399*" du "*daily.cvd*", et malgré mes
multiples relances, je n'ai aucune nouvelle de ClamAV et le problème existe
toujours...

Le faux positif concerne un exécutable faisant parti de la suite Java JRE,
téléchargé directement depuis le site d'Oracle, et nécessaire au
fonctionnement d'applications développées en Java FX.
L'exécutable en question est le fichier "*jfxrt.jar*" (Java FX Runtime JAR
File) et il est considéré comme "*PUA.Andr.Adware.Dowgin-6888245-0*" par
ClamAV alors qu'aucun autre antivirus ne le voit comme une menace (testé
avec VirusTotal).

Le SHA256 du fichier est :
*2a554529f3556cc79c2e42e22a467cc5f189bd2c73ba626cf66908a1d6474034*

Pouvez-vous faire le nécessaire pour que notre problème soit traité ?

Merci d'avance et bonne journée.

Cordialement.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml