[clamav-users] Osx.Trojan.FkCodec-1 False Positives

Al Varnell alvarnell at mac.com
Sat May 10 04:24:03 UTC 2014 

Here’s the VirusTotal analysis (1/52) for Rapport-5.dmg which apparently has an MD5 = efddf96af90be02bcc9e37cbc21c34a6
<https://www.virustotal.com/en/file/c3707dd14b766fd5d19daddf19cf57e980ffaa81fec3bec3e4de47bbf7419118/analysis/>.

I asked the OP to upload it to Send a false positive, but not sure they will be able to.

-Al-

On May 9, 2014, at 7:53 PM, Al Varnell <alvarnell at mac.com> wrote:

> I don’t have all the information on this yet, but I’ve had two ClamXav user complain today of commercial software being identified as infected by Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but perhaps it was just added today.
> 
> The first is "accordion.1.6.2(83).dmg", downloaded from <http://yourhead.com/accordion/download/index.html> which I verified was identified. It’s a RapidWeaver Plug-in from YourHead.com. 
> 
> I submitted it to VirusTotal with the following 1/51 results:
> <https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/>.
> 
> So I uploaded it to Send a false positive report, but got the following response:
>> Result: 
>> This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures. 
>> 
>> Please correct the above errors and retry. Thank you for helping the ClamAV project.
> 
> I updated definitions and it was still detected as infected. ClamXav still using v0.98.1.  I’ve had this happen once before, but have no idea how it could test positive on two Macs and VirusTotal, but not on your site.
> 
> MD5 = f247e5f45b7a30ce600be34e66d93fa8
> 
> The second file is named "Rapport-5.dmg” which is an older version of Trusteer Rapport for Mac. The latest version does not test positive, but that’s not surprising to me.  I’ve asked the user to upload his file to VirusTotal and will post the results once I have them.
> 
> This is yet another example of OS X .dmg files being falsely identified as infected.  All of these signatures follow the same pattern of detecting multiple strings of characters (mostly the letter “a”) contained in an XML section of the .dmg file.  I believe this is provided as overhead information concerning the file and does not contain any data at all to positively identify the contents of the image file.  Since the formats of the XML portion of the .dmg files are all very similar, I suspect it will be extremely difficult to uniquely fingerprint such files by using XML strings.
> 
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA

More information about the clamav-users mailing list