Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
No, Daily - 22782 says Win.Trojan.Toa-5368540-0 is a New signature, not one of the 11,296 dropped. -Al- On Mon, Dec 26, 2016 at 08:11 PM, Joel Esler (jesler) wrote: > > I believe that signature has been dropped. smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
I believe that signature has been dropped. -- Sent from my iPhone > On Dec 26, 2016, at 11:08 PM, Christian Balzer wrote: > > > Hello, > >> On Tue, 27 Dec 2016 03:06:31 + Joel Esler (jesler) wrote: >> >> We QA against thousands of clean files for each signature. But we don't >> have s copy of every foe in the world to QA against. >> >> When people send in false positives, if we determine them to be actually >> clean, we add them to the FP farm as well. That's why FPs are important to >> send in, not just to clean current FPs, but to prevent future ones. >> > > Don't have a sample (confidential file), but I have confirmation that this > was indeed an Excel .xlsm file. > Given the senders/recipients of the other Win.Trojan.Toa-5368540-0 FPs, > I'm willing to bet real money that it was the same type. > > Christian > >> -- >> Sent from my iPhone >> >>> On Dec 26, 2016, at 9:27 PM, Christian Balzer wrote: >>> >>> >>> Hello Al, >>> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: Although most, if not all the Win.Trojan.Toa old signatures were either dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would appear to be a new issue. >>> Be that as it may, I'd say this isn't a new issue as such but a >>> continuation of what is clearly insufficient QA with these signatures. >>> >>> I'd love to be more helpful, but since this are large mails I don't have a >>> complete bounce (Exim suppresses those over 100KB) and I don't have easy >>> access to any of the senders. >>> But it's with near certainty some attachment in a MS file format that >>> triggers these. >>> >>> Regards, >>> >>> Christian >>> -Al- > On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: > > Hello, > >> On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: >> >> >>> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: >>> In keeping with the other false positive reports I have more than 400 >>> CentOS servers report below after yesterday's freshclam update: >> >> Yes, nashorn.jar seems to get hit too... >> >> eg: >> >> fp2\11476331d01: Win.Trojan.Toa-5372078-0 >> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 >> fp2\3A627716d01: Win.Trojan.Toa-5372078-0 >> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 >> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 >> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 >> >> and the earlier reported FP's are still there: >> >> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 >> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 >> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 >> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >> fp\omni.ja: Win.Trojan.Toa-5370166-0 >> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 >> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 >> >> etc. >> >> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing >> done >> in full after holidays. >> > I can only second that. > And add Win.Trojan.Toa-5368540-0 to the list of FPs. > > At this rate the previous bit about "Clamscan becoming its own worst > enemy." can not be underestimated. > This is the 2nd, VERY visible FP avalanche in so many months and since it > affects a lot of people here including internal business mails. > Reflecting badly on all OSS projects and SW. > > Christian > >> As the issues go on... >> >> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 >> >> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 >>> >>> >>> -- >>> Christian BalzerNetwork/Systems Engineer >>> ch...@gol.com Global OnLine Japan/Rakuten Communications >>> http://www.gol.com/ >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > -- > Christian BalzerNetwork/Systems Engineer > ch...@gol.com Global OnLine Japan/Rakuten Communications > http://www.gol.com/ ___ clamav-user
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
Hello, On Tue, 27 Dec 2016 03:06:31 + Joel Esler (jesler) wrote: > We QA against thousands of clean files for each signature. But we don't have > s copy of every foe in the world to QA against. > > When people send in false positives, if we determine them to be actually > clean, we add them to the FP farm as well. That's why FPs are important to > send in, not just to clean current FPs, but to prevent future ones. > Don't have a sample (confidential file), but I have confirmation that this was indeed an Excel .xlsm file. Given the senders/recipients of the other Win.Trojan.Toa-5368540-0 FPs, I'm willing to bet real money that it was the same type. Christian > -- > Sent from my iPhone > > > On Dec 26, 2016, at 9:27 PM, Christian Balzer wrote: > > > > > > Hello Al, > > > >> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: > >> > >> Although most, if not all the Win.Trojan.Toa old signatures were either > >> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so > >> that would appear to be a new issue. > >> > > Be that as it may, I'd say this isn't a new issue as such but a > > continuation of what is clearly insufficient QA with these signatures. > > > > I'd love to be more helpful, but since this are large mails I don't have a > > complete bounce (Exim suppresses those over 100KB) and I don't have easy > > access to any of the senders. > > But it's with near certainty some attachment in a MS file format that > > triggers these. > > > > Regards, > > > > Christian > > > >> -Al- > >> > >>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: > >>> > >>> Hello, > >>> > On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: > > > > On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > > In keeping with the other false positive reports I have more than 400 > > CentOS servers report below after yesterday's freshclam update: > > Yes, nashorn.jar seems to get hit too... > > eg: > > fp2\11476331d01: Win.Trojan.Toa-5372078-0 > fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 > fp2\3A627716d01: Win.Trojan.Toa-5372078-0 > fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 > fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 > fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 > fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 > > and the earlier reported FP's are still there: > > fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 > fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 > fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 > fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 > fp\omni.ja: Win.Trojan.Toa-5370166-0 > fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 > fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 > > etc. > > IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing > done > in full after holidays. > > >>> I can only second that. > >>> And add Win.Trojan.Toa-5368540-0 to the list of FPs. > >>> > >>> At this rate the previous bit about "Clamscan becoming its own worst > >>> enemy." can not be underestimated. > >>> This is the 2nd, VERY visible FP avalanche in so many months and since it > >>> affects a lot of people here including internal business mails. > >>> Reflecting badly on all OSS projects and SW. > >>> > >>> Christian > >>> > As the issues go on... > > https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 > > https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 > > > > > > -- > > Christian BalzerNetwork/Systems Engineer > > ch...@gol.com Global OnLine Japan/Rakuten Communications > > http://www.gol.com/ > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
We QA against thousands of clean files for each signature. But we don't have s copy of every foe in the world to QA against. When people send in false positives, if we determine them to be actually clean, we add them to the FP farm as well. That's why FPs are important to send in, not just to clean current FPs, but to prevent future ones. -- Sent from my iPhone > On Dec 26, 2016, at 9:27 PM, Christian Balzer wrote: > > > Hello Al, > >> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: >> >> Although most, if not all the Win.Trojan.Toa old signatures were either >> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so >> that would appear to be a new issue. >> > Be that as it may, I'd say this isn't a new issue as such but a > continuation of what is clearly insufficient QA with these signatures. > > I'd love to be more helpful, but since this are large mails I don't have a > complete bounce (Exim suppresses those over 100KB) and I don't have easy > access to any of the senders. > But it's with near certainty some attachment in a MS file format that > triggers these. > > Regards, > > Christian > >> -Al- >> >>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: >>> >>> Hello, >>> On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: > On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > In keeping with the other false positive reports I have more than 400 > CentOS servers report below after yesterday's freshclam update: Yes, nashorn.jar seems to get hit too... eg: fp2\11476331d01: Win.Trojan.Toa-5372078-0 fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 fp2\3A627716d01: Win.Trojan.Toa-5372078-0 fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 and the earlier reported FP's are still there: fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 fp\omni.ja: Win.Trojan.Toa-5370166-0 fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 etc. IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done in full after holidays. >>> I can only second that. >>> And add Win.Trojan.Toa-5368540-0 to the list of FPs. >>> >>> At this rate the previous bit about "Clamscan becoming its own worst >>> enemy." can not be underestimated. >>> This is the 2nd, VERY visible FP avalanche in so many months and since it >>> affects a lot of people here including internal business mails. >>> Reflecting badly on all OSS projects and SW. >>> >>> Christian >>> As the issues go on... https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 > > > -- > Christian BalzerNetwork/Systems Engineer > ch...@gol.com Global OnLine Japan/Rakuten Communications > http://www.gol.com/ > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
Hello Al, On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: > Although most, if not all the Win.Trojan.Toa old signatures were either > dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so > that would appear to be a new issue. > Be that as it may, I'd say this isn't a new issue as such but a continuation of what is clearly insufficient QA with these signatures. I'd love to be more helpful, but since this are large mails I don't have a complete bounce (Exim suppresses those over 100KB) and I don't have easy access to any of the senders. But it's with near certainty some attachment in a MS file format that triggers these. Regards, Christian > -Al- > > On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: > > > > Hello, > > > > On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: > > > >> > >> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > >>> In keeping with the other false positive reports I have more than 400 > >>> CentOS servers report below after yesterday's freshclam update: > >> > >> Yes, nashorn.jar seems to get hit too... > >> > >> eg: > >> > >> fp2\11476331d01: Win.Trojan.Toa-5372078-0 > >> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 > >> fp2\3A627716d01: Win.Trojan.Toa-5372078-0 > >> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 > >> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 > >> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 > >> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 > >> > >> and the earlier reported FP's are still there: > >> > >> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 > >> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 > >> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 > >> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 > >> fp\omni.ja: Win.Trojan.Toa-5370166-0 > >> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 > >> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 > >> > >> etc. > >> > >> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing > >> done > >> in full after holidays. > >> > > I can only second that. > > And add Win.Trojan.Toa-5368540-0 to the list of FPs. > > > > At this rate the previous bit about "Clamscan becoming its own worst > > enemy." can not be underestimated. > > This is the 2nd, VERY visible FP avalanche in so many months and since it > > affects a lot of people here including internal business mails. > > Reflecting badly on all OSS projects and SW. > > > > Christian > > > >> As the issues go on... > >> > >> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 > >> > >> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
Although most, if not all the Win.Trojan.Toa old signatures were either dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would appear to be a new issue. -Al- On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: > > Hello, > > On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: > >> >> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: >>> In keeping with the other false positive reports I have more than 400 >>> CentOS servers report below after yesterday's freshclam update: >> >> Yes, nashorn.jar seems to get hit too... >> >> eg: >> >> fp2\11476331d01: Win.Trojan.Toa-5372078-0 >> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 >> fp2\3A627716d01: Win.Trojan.Toa-5372078-0 >> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 >> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 >> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 >> >> and the earlier reported FP's are still there: >> >> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 >> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 >> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 >> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >> fp\omni.ja: Win.Trojan.Toa-5370166-0 >> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 >> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 >> >> etc. >> >> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done >> in full after holidays. >> > I can only second that. > And add Win.Trojan.Toa-5368540-0 to the list of FPs. > > At this rate the previous bit about "Clamscan becoming its own worst > enemy." can not be underestimated. > This is the 2nd, VERY visible FP avalanche in so many months and since it > affects a lot of people here including internal business mails. > Reflecting badly on all OSS projects and SW. > > Christian > >> As the issues go on... >> >> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 >> >> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
Hello, On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote: > > On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > > In keeping with the other false positive reports I have more than 400 > > CentOS servers report below after yesterday's freshclam update: > > Yes, nashorn.jar seems to get hit too... > > eg: > > fp2\11476331d01: Win.Trojan.Toa-5372078-0 > fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 > fp2\3A627716d01: Win.Trojan.Toa-5372078-0 > fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 > fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 > fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 > fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 > > and the earlier reported FP's are still there: > > fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 > fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 > fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 > fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 > fp\omni.ja: Win.Trojan.Toa-5370166-0 > fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 > fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 > > etc. > > IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done > in full after holidays. > I can only second that. And add Win.Trojan.Toa-5368540-0 to the list of FPs. At this rate the previous bit about "Clamscan becoming its own worst enemy." can not be underestimated. This is the 2nd, VERY visible FP avalanche in so many months and since it affects a lot of people here including internal business mails. Reflecting badly on all OSS projects and SW. Christian > As the issues go on... > > https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 > > https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 > -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > In keeping with the other false positive reports I have more than 400 > CentOS servers report below after yesterday's freshclam update: Yes, nashorn.jar seems to get hit too... eg: fp2\11476331d01: Win.Trojan.Toa-5372078-0 fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 fp2\3A627716d01: Win.Trojan.Toa-5372078-0 fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 and the earlier reported FP's are still there: fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 fp\omni.ja: Win.Trojan.Toa-5370166-0 fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 etc. IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done in full after holidays. As the issues go on... https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 -- Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
