Re: [clamav-users] False positive?

On Mon, 8 Apr 2024 11:26:15 -0400 Richard wrote: > After updating to the latest virus signature files using > freshclam, I am suddenly getting infected file reports > that I never got before. Almost certainly yes. This seems to happen periodically, for those same Python PIP exe files (which I

Re: [clamav-users] False positive?

There are also reports on Reddit today of ClamAV finding this: https://www.reddit.com/r/flatpak/comments/1byn8og/clamav_detecting_winvirusexpiro100265760_malware/?rdt=45424 One reply says: I ran one of the files tagged as a virus by Clamav through VirusTotal.com; out of 64 anti-virus

[clamav-users] False positive?

After updating to the latest virus signature files using freshclam, I am suddenly getting infected file reports that I never got before. I don't think the affected files have changed, at least the creation dates and size in bytes are still the same. How can I tell whether this is a real virus or

Re: [clamav-users] false positive

Dezember 23, 2022 um 16:54 (at 04:54 PM) +0100 Betreff / Subject: Re: [clamav-users] false positive On Dec 23, 2022, at 03:26, newcomer01 via clamav-users wrote: is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added? On 23.12.22 05:28

Re: [clamav-users] false positive

On Dec 23, 2022, at 03:26, newcomer01 via clamav-users wrote: is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added? On 23.12.22 05:28, Al Varnell via clamav-users wrote: A good start would be to tell us what the domain in question is.

Re: [clamav-users] false positive

A good start would be to tell us what the domain in question is. Sent from my iPad -Al- > On Dec 23, 2022, at 03:26, newcomer01 via clamav-users > wrote: > > Hi @ all, > > is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so > that an exception can be added? > >

[clamav-users] false positive

Hi @ all, is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added? kind regards, Marc ___ Manage your clamav-users mailing list subscription / unsubscribe:

Re: [clamav-users] False Positive?

Report Submitted! > On Aug 11, 2022, at 11:21 AM, Joel Esler via clamav-users > wrote: > > Exactly the only answer that is correct to this email. :) > >> On Aug 11, 2022, at 2:15 PM, Al Varnell via clamav-users >> wrote: >> >> Did you submit to >

Re: [clamav-users] False Positive?

Exactly the only answer that is correct to this email. :) > On Aug 11, 2022, at 2:15 PM, Al Varnell via clamav-users > wrote: > > Did you submit to ? > > -Al- > -- > ClamXAV user > > On Aug 11, 2022, at 11:01 AM, David Laxer

Re: [clamav-users] False Positive?

Did you submit to >? -Al- -- ClamXAV user On Aug 11, 2022, at 11:01 AM, David Laxer wrote: > Clamav 0.105.1 > > Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND > >

[clamav-users] False Positive?

Clamav 0.105.1 Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND /Applications/Keynote.app/Contents/SharedSupport/Templates/New_Template9/Wide.kth: Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND /Applications/Keynote.app/Contents/SharedSupport/Templates/New_Template9_RTL/Wide.kth:

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. From: clamav-users on behalf of Yaron Elharar via clamav-users Sent: Monday, July 18, 2022 12:09 PM To: ClamAV users ML Cc: Yaron Elharar Subject: Re: [clamav-users] False positive, My program

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

gt; > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. > > -- > *From:* clamav-users on behalf of > Christopher Marczewski > *Sent:* Monday, July 11, 2022 4:48 PM > *To:* ClamAV users ML > *Subject:* Re: [clamav-u

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

. From: clamav-users on behalf of Christopher Marczewski Sent: Monday, July 11, 2022 4:48 PM To: ClamAV users ML Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 Looks like allmatch scanning may

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Looks like allmatch scanning may be confined to the PUA CVDs if the first signature alert is a PUA signature, as was the case here. PUA.Win.Packer.Exe-6 alerted on this sample during the report processing, but no additional signature alerted. A manual scan without PUA signatures enabled resulted

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Did anybody from the ClamAV team had the chance to take a look at this? On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote: > > > I've never seen a user post to that list and

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi there, On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote: I've never seen a user post to that list and I've subscribed to it for decades. My impression has always been it's for database update announcements only. You might be right Al but I took the URI from a list post and ISTR that

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

I've never seen a user post to that list and I've subscribed to it for decades. My impression has always been it's for database update announcements only. Sent from my iPad -Al- -- ClamXAV User > On Jul 9, 2022, at 09:44, Yaron Elharar via clamav-users > wrote: > > I didn't want to create

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Shouldn't make any difference as VirusTotal is likely using 0.105, but upgrading isn't up to me as that's something the ClamXAV developer will eventually get around to. Sent from my iPad -Al- -- ClamXAV User > On Jul 9, 2022, at 09:25, G.W. Haywood via clamav-users > wrote: > > A guess: I

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Thank you for taking a look, my understanding of this is also limited, but I'm using 0.105.0.0 With these signatures ClamAV update process started at Sat Jul 9 19:32:19 2022 daily.cvd database is up-to-date (version: 26596, sigs: 1989075, f-level: 90, builder: raynman) main.cvd database is

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi there, On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote: ... --- SCAN SUMMARY --- Known viruses: 12318966 Engine version: 0.104.1 ... ... it would appear that there is a valid False Positive entry in the database for four different files ... ... So why it's being

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

My capabilities for examining Windows files are extremely limited, given that I'm an AppleMac user, exclusively. Running clamscan --debug against the file I see the following near the end: > LibClamAV debug: FP SIGNATURE: > 95a6e35279662aa2f26d768b15091a55:4514540:Win.Dropper.Tinba-9943147-0

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

that correlates exactly to where it started happening  It's a pretty cool case converter called AnyCase https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1 "... but perhaps the above will allow you to track down what component of the

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi, Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline. And the signature is: % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs VIRUS NAME: Win.Dropper.Tinba-9943147-0 TDB:

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi there, On Sat, 9 Jul 2022, Yaron Elharar via clamav-users wrote: My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total File hash 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9 I've tried to reach out to the team through

[clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi Everyone My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total File hash 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9 I've tried to reach out to the team through the false-positive reporting tool with no success for the

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

"G.W. Haywood via clamav-users" writes: > Hi there, > > On Thu, 29 Apr 2021, Robert Kudyba wrote: > >> ... no error(s) when I just ran it manually. > > There are lots of things in the script which look likely to cause > issues, so I'd have expected something: > > 1. Is your Perl interpreter in

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On Thu, 2021-04-29 at 16:22 +0100, G.W. Haywood via clamav-users wrote: > > 3. What is uid 110 on your system? On my clamd server it's 'sshd'. > This means that if I were to run it as root as it is, the script would > change ownership of the modified files to the wrong user (which would > break

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/. > Thanks I saw that after the fact, indeed /usr/bin in Fedora 2. The environment is likely to be different when the script runs via > freshclam from when it runs at the command line, and it's usually bad > form in

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi there, On Thu, 29 Apr 2021, Robert Kudyba wrote: ... no error(s) when I just ran it manually. There are lots of things in the script which look likely to cause issues, so I'd have expected something: 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/. 2. The

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > > >> next if > /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; > > next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/; > > > > You could do better with a regex, see the excellent Perl documentation. > > > > So what's the syntax to use || (or) with

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert Kudyba writes: > >> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; > next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/; > > You could do better with a regex, see the excellent Perl documentation. > > So what's the syntax to use || (or)

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > On Thu, 29 Apr 2021, Olivier via clamav-users wrote: > > Robert Kudyba writes: > > > >> How would you make this work for docs.google.com as well? > >> > >> the following regex corresponds to >

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi there, On Thu, 29 Apr 2021, Olivier via clamav-users wrote: Robert Kudyba writes: How would you make this work for docs.google.com as well? the following regex corresponds to https://drive.google.com next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; If I

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

> > > How would you make this work for docs.google.com as well? > > > > the following regex corresponds to >

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert Kudyba writes: > [1:text/plain Show] > > > [2:text/html Hide Save:noname (3kB)] > > How would you make this work for docs.google.com as well? > > the following regex corresponds to https://drive.google.com > next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; If I

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

How would you make this work for docs.google.com as well? the following regex corresponds to https://drive.google.com next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/; On Thu, Apr 29, 2021, 12:25 AM Olivier wrote: > Robert, > > In the configuration file user.conf for

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Robert, In the configuration file user.conf for ClamAV-unofficial-sig, I set the following variable: clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl" And the script is attached below. Best regards, Olivier clamav-unofficial-sigs-post.pl Description: Binary data --

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

I'd like the script and in our case the link starts with docs.google.com On Wed, Apr 28, 2021, 10:43 PM Olivier via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi, > > Robert Kudyba writes: > > > [1:multipart/alternative Hide] > > > > > > [1/1:text/plain Show] > > > > > >

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi, Robert Kudyba writes: > [1:multipart/alternative Hide] > > > [1/1:text/plain Show] > > > [1/2:text/html Hide Save:noname (3kB)] > > Since the signature name has .UNOFFICIAL and starts with MBL I believe that's > Malware Block List. I've > submitted a sample to fp (at) malwarepatrol.net. Is

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On 28 April 2021 15:25:32 Robert Kudyba wrote: Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't appear

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On Wed, Apr 28, 2021 at 4:25 PM Robert Kudyba wrote: > ... > sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs > ... and remember that --find-sigs takes a REGEX not a glob so perhaps you meant "MBL_85256034.*", although sigtools checks the entire entry so searching for 'MBL_85256034' is

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Hi there, On Wed, 28 Apr 2021, Robert Kudyba wrote: Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't

[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't appear to acknowledge nor reply. Why don't these come up?

Re: [clamav-users] False positive on Heuristics.Phishing.Email.SSL-Spoof, no attachment

As you have noted, this is a common situation. Anytime the actual URL does not closely match the displayed URL you'll get an alert unless it has been added to an M or X signature in the database. I haven't been convinced that anybody is maintaining that list of exceptions, so disabling it is

[clamav-users] False positive on Heuristics.Phishing.Email.SSL-Spoof, no attachment

An important email from our university president was quarantined with Heuristics.Phishing.Email.SSL-Spoof. I submitted the email as an attachment to ClamAV. I'm also disabling it based on past reports such as

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

Hi, > Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails > quarantined with > the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an > attachment of a > Google Drive folder. I reported this to the false positive at SaneSecurity > address. I also

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

On 24 March 2021 14:16:33 Robert Kudyba wrote: Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a Google Drive folder. Hi Robert, It's best to report this

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

Hi there, On Wed, 24 Mar 2021, Robert Kudyba wrote: Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a Google Drive folder. I reported this to the false

[clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a Google Drive folder. I reported this to the false positive at SaneSecurity address. I also added the signature

Re: [clamav-users] False positive (?) in check6_clamd_vg test

Citeren "Micah Snyder (micasnyd)" : Hi Arjen, I see what you're talking about. It is a little confounding. We have a valgrind suppression rule for this specific issue: https://github.com/Cisco-Talos/clamav-devel/commit/8cfec0b245abfac9564c11012d67b19da004e927 {

Re: [clamav-users] False positive (?) in check6_clamd_vg test

ing the effort to reimplement without overlapping memmoves. Thoughts? -Micah -Original Message- From: clamav-users On Behalf Of Arjen de Korte via clamav-users Sent: Friday, September 18, 2020 11:36 AM To: clamav-users@lists.clamav.net Cc: Arjen de Korte Subject: [clamav-users] False p

[clamav-users] False positive (?) in check6_clamd_vg test

Three of the four valgring tests fail, with what seems to be false positives: ==18703== ERROR SUMMARY: 12 errors from 1 contexts (suppressed: 0 from 0) ==18703== ==18703== 12 errors in context 1 of 1: ==18703== Source and destination overlap in memcpy_chk(0x1ffeffd1e0, 0x1ffeffd1fe, 549)

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

The signature needs a little tweaking, and will be revised. Revision 0 (Txt.Coinminer.Generic-7132166-0) has been dropped and this will be reflected in the next signature update. - Alain On Tue, Aug 27, 2019 at 11:25 AM Brian Cole via clamav-users < clamav-users@lists.clamav.net> wrote: > > >

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Hi there, On Tue, 27 Aug 2019, Brian Cole via clamav-users wrote: ... we are seeing ClamAV think that CoinMiner virus exists in ... /var/log/sid_changes.log ... Would it not make more sense to exclude such files from your scans? -- 73, Ged. ___

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

. From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Brian Cole via clamav-users Sent: Tuesday, August 27, 2019 11:01 AM To: clamav-users@lists.clamav.net Cc: Brian Cole Subject: [clamav-users] False Positive for Txt.Coinminer.Generic

[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Has anyone else seen a false positive from ClamAV, as a result of the August 24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was added ? Specifically, we are seeing ClamAV think that CoinMiner virus exists in a cleartext file on Linux, even though CoinMiner is an

Re: [clamav-users] False Positive Detected - Win.Malware.Triusor-6824994-0

Hello Matt, Thanks for the report. We've dropped the signature & will investigate further. On Tue, Jan 22, 2019 at 7:43 AM Matt Muir wrote: > Hi all, > > I discovered a false positive detection of Win.Malware.Triusor-6824994-0 in > the database. Detection is occurring in fresh installs of

[clamav-users] False Positive Detected - Win.Malware.Triusor-6824994-0

Hi all, I discovered a false positive detection of Win.Malware.Triusor-6824994-0 in the database. Detection is occurring in fresh installs of macOS 10.10 - 10.14 in the following files:

Re: [clamav-users] False positive

What is the md5? On Aug 3, 2018, at 2:36 AM, Groach mailto:groachmail-stopspammin...@yahoo.com>> wrote: An overnight scan has just pulled out a false positive on a program. Its against Winscp (file transfer program) that is a genuine download and been used for years. It's not the first

[clamav-users] False positive

An overnight scan has just pulled out a false positive on a program. Its against Winscp (file transfer program) that is a genuine download and been used for years. It's not the first time it has been hit as a FP and took several attempts previously to get it whitelisted before but now its

Re: [clamav-users] False positive -- I hope

I *think* that this signature flags *all* zipped JS files, and (IIRC) both Firefox and Thunderbird have JS-containing JAR files. I hope that is all it is. Yep that's it. Foxhole_filename. Foxhole_all. Foxhole_generic and Foxhole_js all have different fp levels...depending on what your see

[clamav-users] False positive -- I hope

Using clamav.0.99.3 to scan the latest Firefox ESR (52.6.0), and using various extra signatures from Sane Security, I get: firefox-52.6.0-esr-32.tar.bz2: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND firefox-52.6.0-esr-64.tar.bz2: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND I get the

Re: [clamav-users] False positive detection for a Valid File

Thanks for the suggestion. Already I've did what you said. Submitted here http://www.clamav.net/reports/fp with full signature name and no response. Hence posted here. On Fri, Aug 18, 2017 at 5:49 PM, Al Varnell wrote: > There are five different signatures for

Re: [clamav-users] False positive detection for a Valid File

There are five different signatures for Doc.Macro.Obfuscation-63x-x, so you need to specify exactly which one(s) is/are involved when you submit these files to . -Al- On Fri, Aug 18, 2017 at 04:51 AM, Vijayakumar U wrote > Dear Team, > > Few zip and xls

[clamav-users] False positive detection for a Valid File

Dear Team, Few zip and xls files downloaded from below site were filtered as Doc.Macro.Obfuscation http://acesdownload.nic.in/ACES%20UTILITIES%20DOWNLOADS.html http://acesdownload.nic.in/Documents/ACES-EFiling-ST3_April-June_2017_onwards_V1.10.zip It is a false positive detected by some

Re: [clamav-users] False Positive of IObit product by ClamAV

A.J., I'm not familiar with any of their Windows offerings, but their MacBooster products for macOS/OS X have long been classified as PUA by ClamXAV and other Mac malware scanners. Coco has made similar requests concerning MacBooster FP's. -Al- On Tue, Jul 25, 2017 at 09:34 PM, Arnaud Jacques

Re: [clamav-users] False Positive of IObit product by ClamAV

This signature has been dropped. -- Joel Esler | Talos: Manager | jes...@cisco.com On Mar 31, 2017, at 3:44 AM, Arnaud Jacques / SecuriteInfo.com > wrote: Received this message

Re: [clamav-users] False Positive of IObit product by ClamAV

On Fri, Mar 31, 2017 at 01:10 AM, Steve Basford wrote: > > On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote: >> Received this message : >> >> >> -- Message transmis -- >> >> This is Coco from IObit (www.iobit.com). >> >> >> Your program ClamAV reports

Re: [clamav-users] False Positive of IObit product by ClamAV

Coco You will need to upload at least one of those to in order for an investigation to be opened. -Al- On Fri, Mar 31, 2017 at 12:44 AM, Arnaud Jacques / SecuriteInfo.com wrote: > > Received this message : > > -- Message transmis -- > >

Re: [clamav-users] False Positive of IObit product by ClamAV

On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote: > Received this message : > > > -- Message transmis -- > > This is Coco from IObit (www.iobit.com). > > > Your program ClamAV reports the file RegistryDefragBootTime.exe as > Win.Trojan.Agent-5776271-0

[clamav-users] False Positive of IObit product by ClamAV

Received this message : -- Message transmis -- Objet : False Positive of IObit product by ClamAV Date : vendredi 31 mars 2017, 14:52:42 De : beta feedback Hi ClamAV, This is Coco from IObit (www.iobit.com). Please forward this email to the

Re: [clamav-users] false positive rate

I guess the first question is are you using official only signatures or do you use 3rd party ones... if so could you do a database list. Next, are you scanning files which are getting fps or are these files grabbed via http or proxy? Could you post sig names, filenames and hashes of a few of

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

The offending signature has been dropped from the signature set. This should be reflected shortly in an upcoming signature update. - Alain On Wed, Aug 10, 2016 at 6:10 AM, Al Varnell wrote: > The only way to be notified is if you submit a sample to the ClamAV False >

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On Wed, August 10, 2016 7:22 am, ANANT S ATHAVALE wrote: > Hi, > > > Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is > this a false positive? Finally got it... blank LibreOffice.doc file... blank.doc: Win.Exploit.CVE_2016_3316-1 I've added a whitelist entry to

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

The only way to be notified is if you submit a sample to the ClamAV False Positive site that I referenced earlier. Otherwise, you’ll just have to query the database periodically to see if and when it is removed or ignored. -Al- On Wed, Aug 10, 2016 at 02:32 AM, Robert Boyle wrote: > > Can

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On Wed, August 10, 2016 10:52 am, Jan-Pieter Cornet wrote: > On 10-8-16 08:22, ANANT S ATHAVALE wrote: > >> Hi, >> >> >> Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is >> this a false positive? > > Created a completely empty .doc file using LibreOffice on linux, and the >

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Am 10.08.2016 um 11:52 schrieb Jan-Pieter Cornet: On 10-8-16 08:22, ANANT S ATHAVALE wrote: Hi, Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a false positive? Yes. Created a completely empty .doc file using LibreOffice on linux, and the resulting file was

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On 10-8-16 08:22, ANANT S ATHAVALE wrote: > Hi, > > Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a > false positive? Yes. Created a completely empty .doc file using LibreOffice on linux, and the resulting file was recognized as Win.Exploit.CVE_2016_3316-1. This

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Am 10.08.2016 um 11:32 schrieb Robert Boyle: I see that you have added Win.Exploit.CVE_2016_3316-1 to whitelist.ign2 Can you please advise when this whitelist update is available to all users? you can place your own .ign2 file in the signature folder, that's the whole point of different

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Hi, I see that you have added Win.Exploit.CVE_2016_3316-1 to whitelist.ign2 Can you please advise when this whitelist update is available to all users? Thanks RB ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Signature was just added yesterday, so there’s a good chance. Be sure and submit a couple of samples to so that it can be taken care of for all. -Al- On Tue, Aug 09, 2016 at 11:22 PM, ANANT S ATHAVALE wrote: > > Hi, > > Most of the mails are marked with

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On 08/10/2016 08:22 AM, ANANT S ATHAVALE wrote: Hi, Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a false positive? seems so! added Win.Exploit.CVE_2016_3316-1 to whitelist.ign2 ___ Help us build a comprehensive ClamAV

[clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

Hi, Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a false positive? -- सादर धन्यवाद/ Thanks & Regards अनंत / Anant -- Confidentiality Notice: This e-mail message,

Re: [clamav-users] False positive

On Feb 17, 2016, at 9:01 PM, Tsutomu Oyamada wrote: > A false positive which detects normal file as a malware > "win.Trojan.Bancos-2115" was occurred last week. > It was started CVD version 21359 and was fixed by 21362. > Could you tell us what was the cause of this false positive? Did you read

[clamav-users] False positive

Hi, A false positive which detects normal file as a malware "win.Trojan.Bancos-2115" was occurred last week. It was started CVD version 21359 and was fixed by 21362. Could you tell us what was the cause of this false positive? And also, could you tell us what steps do you take to prevent false

Re: [clamav-users] False positive on go source code using PUA

ok thank you. On Wed, Nov 4, 2015 at 2:55 PM, Al Varnell wrote: > By definition, there is no such thing as a False Positive PUA nor is PUA > considered to be infected. > . > > Based on the description of

Re: [clamav-users] False positive on go source code using PUA

By definition, there is no such thing as a False Positive PUA nor is PUA considered to be infected. . Based on the description of CVE-2012-1461 I’d guess it

Re: [clamav-users] False positive on go source code using PUA

On Wed, November 4, 2015 6:03 am, P K wrote: > Hi, > > > I tried clamdscan with PUA enabled on go source code and seen an error. > issue6550.gz: PUA.File.Exploit.CVE_2012_1461 https://www.virustotal.com/en/file/c809983cf1b4f11552a1880272e3002a963a39c453b4883bf47e5c2cfc8f2a47/analysis/1446632226/

[clamav-users] False positive on go source code using PUA

Hi, I tried clamdscan with PUA enabled on go source code and seen an error. Below are error: clamdscan -v go1.4.2.src.tar.gz /home/punit/go1.4.2.src.tar.gz: PUA.File.Exploit.CVE_2012_1461 FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.507 sec (0 m 0 s) Is it really

Re: [clamav-users] - False Positive

Yes. /path/to/file: BC.Win.Exploit.CVE_2012_0167 FOUND The file was last changed in Mar 2015. This, in addition to the fact that the CVE dates back to the year 2012, seems to indicate a false positive to me. Cheers Ingo On 9 July 2015 at 15:37, Alain Zidouemba azidoue...@sourcefire.com wrote:

Re: [clamav-users] - False Positive

The file has been subject to daily scanning since Mar 2015. According to the mtime, the file has not been changed since. However, the positive finding from ClamAV occurred just yesterday. That's why it seems to me that this might be a false positive. Please let me know what you think. Cheers

Re: [clamav-users] - False Positive

I’m not sure why you would consider a 2012 CVE to be an indicator of a false positive. Have you read the vulnerability description? https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0167 If that document contains an EMF image it could cause a heap-based buffer overflow in those older,

Re: [clamav-users] - False Positive

I used to be able to scan the database to determine when each signature was added, but that list has been eliminated so I can’t verify, but when an older file is suddenly identified as infected, my first thought is that this must be a new signature. Just because the vulnerability has been

[clamav-users] - False Positive

I am seeing the same finding. Since yesterday's daily update. I cross checked the respective file with Gmail, Avast, Avira and Windows Defender. None of them reported a virus. I am not able to share the document, though. Hope you can figure out the root cause. Cheers Ingo If one of the

Re: [clamav-users] - False Positive

Can you provide the detection name that ClamAV displayed? Thanks, - Alain On Thu, Jul 9, 2015 at 7:43 AM, Ingo Bente ingo.be...@gmail.com wrote: I am seeing the same finding. Since yesterday's daily update. I cross checked the respective file with Gmail, Avast, Avira and Windows Defender.

Re: [clamav-users] - False Positive

Ingo, It looks like this sig was originally published on June 11th, 2015. We dropped the signature this afternoon to review why it triggered a false positives. Thank you for making us aware of this issue. Please let us know if there are any other issue. Thanks again, Shaun Hurley ClamAV

Re: [clamav-users] - False Positive

On 08/07/15 11:02, Andrew Carter wrote: Hi , I am seeing Word documents coming up with a virus - BC.Win.Exploit.CVE_2012_0167 but only clam is detecting this. Can this be fixed? Thanks, Andrew _ This email has

Re: [clamav-users] - False Positive

If one of the documents doesn't contain sensitive information, can you submit here? http://www.clamav.net/report/report-fp.html Thanks, - Alain On Tuesday, July 7, 2015, Andrew Carter andrew.car...@smxemail.com wrote: On 08/07/15 11:02, Andrew Carter wrote: Hi , I am seeing Word

[clamav-users] False positive for sure

Greetings; This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo.

  1   2   3   4   >