[clamav-users] HTML.Exploit.Heap-2 False Positive?
Shaun Hurley
shahurle at sourcefire.com
Tue May 13 15:19:52 UTC 2014
A ClamXav user complained of having a Google Chrome extension “WebGL
Inspector” which he has used since 2012 was said to be infected with
HTML.Exploit.Heap-2.
I was able to obtain a later version of that extension and verified that
the gli.all.js file in that extension scans as infected.
I was not able to locate when this signature was added on the
clamav-virusdb list.
I was able to easily confirm that the file contains all elements of the
signature (four ascii strings separated by “any strings” of varying length.
I haven’t found any clues on what an actual infected file might be.
I submitted it to VirusTotal where only ClamAV® detected it
<
https://www.virustotal.com/en/file/36fd57cce150c5e8ea26168823e84b19e109592c6586496b605306cbb482d982/analysis/1399908003/
>
I successfully uploaded to you using your "Submit a false positive" form.
MD5 = 6968c0d2ad15e68b33bb30074ddbb7a6
-Al-
--
Al Varnell
Mountain View, CA
-------------
Al,
Sorry, I didn't have the original email that was sent to the list. After
further analysis, I've modified the signature so that it shouldn't generate
as many false positives.
Thank you,
Shaun Hurley
More information about the clamav-users
mailing list