Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-28 Thread Joel Esler (jesler) 
When I say “disable an engine” I mean, disabling the conviction engine on my 
side that convicts those files.  It’s been turned off for several days now.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 23, 2016, at 6:23 AM, Al Varnell 
> wrote:

Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
problem. It too was dropped in daily - 22584.

Also, Joel mentioned something about disabling an engine, but I don't really 
know how that is accomplished and whether it's reported to us as part of a 
daily.cdiff.

-Al-

On Wed, Nov 23, 2016 at 03:04 AM, Mark Allan wrote:

Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


On 22 Nov 2016, at 9:42 pm, Al Varnell 
> wrote:

I see that Daily - 22584 drops three of them:

* Txt.Malware.Agent-1811885

* Txt.Malware.Agent-1835895

* Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:

I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.

On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>
wrote:

Mark,

Thanks for the feedback, you are right, I am experiencing some high counts
in the Txt.Malware.Agent family.

I’ve disabled this engine for now.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Nov 22, 2016, at 12:02 PM, Mark Allan 
mailto:arkjal...@gmail.com>>> wrote:

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
containing a number of files which ClamAV incorrectly detects as various
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs
has increased a lot lately, and they mostly appear to be being caused by
hash-based signatures.  I'm wondering if this is related to Joel's recent
admission that the signature generation process is almost entirely
automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean
files as if they were infected?  To what end, I'm not sure, but I can't
shake the feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-28 Thread Joel Esler (jesler) 
Mark,

Thanks.  I’ve set these to drop, so they should disappear in an upcoming 
release.

Not sure why they were convicted in the first place, I have safe guards that 
should have prevented this, I’ll look into it.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 23, 2016, at 6:04 AM, Mark Allan 
> wrote:

Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


On 22 Nov 2016, at 9:42 pm, Al Varnell 
> wrote:

I see that Daily - 22584 drops three of them:

 * Txt.Malware.Agent-1811885

 * Txt.Malware.Agent-1835895

 * Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:

I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.

On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>
wrote:

Mark,

Thanks for the feedback, you are right, I am experiencing some high counts
in the Txt.Malware.Agent family.

I’ve disabled this engine for now.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Nov 22, 2016, at 12:02 PM, Mark Allan 
mailto:arkjal...@gmail.com>>> wrote:

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
containing a number of files which ClamAV incorrectly detects as various
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs
has increased a lot lately, and they mostly appear to be being caused by
hash-based signatures.  I'm wondering if this is related to Joel's recent
admission that the signature generation process is almost entirely
automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean
files as if they were infected?  To what end, I'm not sure, but I can't
shake the feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-23 Thread Mark Allan 

> On 23 Nov 2016, at 11:23 am, Al Varnell  wrote:
> 
> Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
> problem. It too was dropped in daily - 22584.

Oops, you're right. I must have copied any pasted that from the wrong list. 
Sorry.

> Also, Joel mentioned something about disabling an engine, but I don't really 
> know how that is accomplished and whether it's reported to us as part of a 
> daily.cdiff.

Difficult to know, but it doesn't look like it.  Scanning the same directory 
after updating via freshclam still shows the 23 remaining FPs.

Mark


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-23 Thread Al Varnell 
Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
problem. It too was dropped in daily - 22584.

Also, Joel mentioned something about disabling an engine, but I don't really 
know how that is accomplished and whether it's reported to us as part of a 
daily.cdiff.

-Al-

On Wed, Nov 23, 2016 at 03:04 AM, Mark Allan wrote:
> 
> Thanks for dropping those 3, Joel, however there are still at least 24 
> signatures causing problems:
> 
> Html.Malware.Agent-1835906
> Txt.Malware.Agent-1835883
> Txt.Malware.Agent-1835884
> Txt.Malware.Agent-1835885
> Txt.Malware.Agent-1835886
> Txt.Malware.Agent-1835887
> Txt.Malware.Agent-1835888
> Txt.Malware.Agent-1835889
> Txt.Malware.Agent-1835890
> Txt.Malware.Agent-1835891
> Txt.Malware.Agent-1835892
> Txt.Malware.Agent-1835893
> Txt.Malware.Agent-1835894
> Txt.Malware.Agent-1835896
> Txt.Malware.Agent-1835898
> Txt.Malware.Agent-1835899
> Txt.Malware.Agent-1835900
> Txt.Malware.Agent-1835901
> Txt.Malware.Agent-1835902
> Txt.Malware.Agent-1835903
> Txt.Malware.Agent-1835904
> Txt.Malware.Agent-1835905
> Txt.Malware.Agent-1838194
> Txt.Malware.Agent-1838195
> 
> Given the vast majority of those are consecutive numbers, it looks like 
> someone has uploaded the entire OpenLayers library and tried to report it as 
> infected.
> 
> Best regards
> Mark
> 
> 
>> On 22 Nov 2016, at 9:42 pm, Al Varnell  wrote:
>> 
>> I see that Daily - 22584 drops three of them:
>> 
>>  * Txt.Malware.Agent-1811885
>> 
>>  * Txt.Malware.Agent-1835895
>> 
>>  * Txt.Malware.Agent-1835897
>> 
>> -Al-
>> 
>> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
>>> 
>>> I am seeing these mostly on files that comprise the OpenLayers library in
>>> phpMyAdmin 4.
>>> 
>>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>>> wrote:
>>> 
 Mark,
 
 Thanks for the feedback, you are right, I am experiencing some high counts
 in the Txt.Malware.Agent family.
 
 I’ve disabled this engine for now.
 
 --
 Joel Esler | Talos: Manager | jes...@cisco.com
 
 
 
 
 
 
 On Nov 22, 2016, at 12:02 PM, Mark Allan >> arkjal...@gmail.com>> wrote:
 
 Hi all,
 
 I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
 containing a number of files which ClamAV incorrectly detects as various
 strains of Txt.Malware.Agent
 
 My experience may be slightly skewed, but it seems that the rate of FPs
 has increased a lot lately, and they mostly appear to be being caused by
 hash-based signatures.  I'm wondering if this is related to Joel's recent
 admission that the signature generation process is almost entirely
 automated now.
 
 Is it possible that someone is targeting ClamAV and reporting known-clean
 files as if they were infected?  To what end, I'm not sure, but I can't
 shake the feeling that something's not right...
 
 Mark
 
 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 
 
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 
 http://www.clamav.net/contact.html#ml
 
 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 
 
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 
 http://www.clamav.net/contact.html#ml
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> -Al-
>> -- 
>> Al Varnell
>> Mountain View, CA
>> 
>> 
>> 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-23 Thread Mark Allan 
Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


> On 22 Nov 2016, at 9:42 pm, Al Varnell  wrote:
> 
> I see that Daily - 22584 drops three of them:
> 
>   * Txt.Malware.Agent-1811885
> 
>   * Txt.Malware.Agent-1835895
> 
>   * Txt.Malware.Agent-1835897
> 
> -Al-
> 
> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
>> 
>> I am seeing these mostly on files that comprise the OpenLayers library in
>> phpMyAdmin 4.
>> 
>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>> wrote:
>> 
>>> Mark,
>>> 
>>> Thanks for the feedback, you are right, I am experiencing some high counts
>>> in the Txt.Malware.Agent family.
>>> 
>>> I’ve disabled this engine for now.
>>> 
>>> --
>>> Joel Esler | Talos: Manager | jes...@cisco.com
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Nov 22, 2016, at 12:02 PM, Mark Allan > arkjal...@gmail.com>> wrote:
>>> 
>>> Hi all,
>>> 
>>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
>>> containing a number of files which ClamAV incorrectly detects as various
>>> strains of Txt.Malware.Agent
>>> 
>>> My experience may be slightly skewed, but it seems that the rate of FPs
>>> has increased a lot lately, and they mostly appear to be being caused by
>>> hash-based signatures.  I'm wondering if this is related to Joel's recent
>>> admission that the signature generation process is almost entirely
>>> automated now.
>>> 
>>> Is it possible that someone is targeting ClamAV and reporting known-clean
>>> files as if they were infected?  To what end, I'm not sure, but I can't
>>> shake the feeling that something's not right...
>>> 
>>> Mark
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-22 Thread Al Varnell 
I see that Daily - 22584 drops three of them:

   * Txt.Malware.Agent-1811885

   * Txt.Malware.Agent-1835895

   * Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
> 
> I am seeing these mostly on files that comprise the OpenLayers library in
> phpMyAdmin 4.
> 
> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
> wrote:
> 
>> Mark,
>> 
>> Thanks for the feedback, you are right, I am experiencing some high counts
>> in the Txt.Malware.Agent family.
>> 
>> I’ve disabled this engine for now.
>> 
>> --
>> Joel Esler | Talos: Manager | jes...@cisco.com
>> 
>> 
>> 
>> 
>> 
>> 
>> On Nov 22, 2016, at 12:02 PM, Mark Allan  arkjal...@gmail.com>> wrote:
>> 
>> Hi all,
>> 
>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
>> containing a number of files which ClamAV incorrectly detects as various
>> strains of Txt.Malware.Agent
>> 
>> My experience may be slightly skewed, but it seems that the rate of FPs
>> has increased a lot lately, and they mostly appear to be being caused by
>> hash-based signatures.  I'm wondering if this is related to Joel's recent
>> admission that the signature generation process is almost entirely
>> automated now.
>> 
>> Is it possible that someone is targeting ClamAV and reporting known-clean
>> files as if they were infected?  To what end, I'm not sure, but I can't
>> shake the feeling that something's not right...
>> 
>> Mark
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-22 Thread Maarten Broekman 
I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.

On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
wrote:

> Mark,
>
> Thanks for the feedback, you are right, I am experiencing some high counts
> in the Txt.Malware.Agent family.
>
> I’ve disabled this engine for now.
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> On Nov 22, 2016, at 12:02 PM, Mark Allan > wrote:
>
> Hi all,
>
> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
> containing a number of files which ClamAV incorrectly detects as various
> strains of Txt.Malware.Agent
>
> My experience may be slightly skewed, but it seems that the rate of FPs
> has increased a lot lately, and they mostly appear to be being caused by
> hash-based signatures.  I'm wondering if this is related to Joel's recent
> admission that the signature generation process is almost entirely
> automated now.
>
> Is it possible that someone is targeting ClamAV and reporting known-clean
> files as if they were infected?  To what end, I'm not sure, but I can't
> shake the feeling that something's not right...
>
> Mark
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-22 Thread Joel Esler (jesler) 
Mark,

Thanks for the feedback, you are right, I am experiencing some high counts in 
the Txt.Malware.Agent family.

I’ve disabled this engine for now.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 22, 2016, at 12:02 PM, Mark Allan 
> wrote:

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7] 
containing a number of files which ClamAV incorrectly detects as various 
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs has 
increased a lot lately, and they mostly appear to be being caused by hash-based 
signatures.  I'm wondering if this is related to Joel's recent admission that 
the signature generation process is almost entirely automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean files 
as if they were infected?  To what end, I'm not sure, but I can't shake the 
feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-22 Thread Mark Allan 
Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7] 
containing a number of files which ClamAV incorrectly detects as various 
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs has 
increased a lot lately, and they mostly appear to be being caused by hash-based 
signatures.  I'm wondering if this is related to Joel's recent admission that 
the signature generation process is almost entirely automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean files 
as if they were infected?  To what end, I'm not sure, but I can't shake the 
feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml