[clamav-users] HTML.Exploit.Heap-2 False Positive?
Al Varnell
alvarnell at mac.com
Mon May 19 18:02:21 UTC 2014
On May 13, 2014, at 8:19 AM, Shaun Hurley <shahurle at sourcefire.com> wrote:
> A ClamXav user complained of having a Google Chrome extension “WebGL
> Inspector” which he has used since 2012 was said to be infected with
> HTML.Exploit.Heap-2.
>
> I was able to obtain a later version of that extension and verified that
> the gli.all.js file in that extension scans as infected.
>
> I was not able to locate when this signature was added on the
> clamav-virusdb list.
>
> I was able to easily confirm that the file contains all elements of the
> signature (four ascii strings separated by “any strings” of varying length.
>
> I haven’t found any clues on what an actual infected file might be.
>
> I submitted it to VirusTotal where only ClamAV® detected it
> <
> https://www.virustotal.com/en/file/36fd57cce150c5e8ea26168823e84b19e109592c6586496b605306cbb482d982/analysis/1399908003/
>>
>
> I successfully uploaded to you using your "Submit a false positive" form.
> MD5 = 6968c0d2ad15e68b33bb30074ddbb7a6
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
> -------------
> Al,
>
> Sorry, I didn't have the original email that was sent to the list. After
> further analysis, I've modified the signature so that it shouldn't generate
> as many false positives.
>
> Thank you,
> Shaun Hurley
Here’s another one that doesn’t seem to have been deployed. I’m still getting an FP on the file I submitted and I don’t see any obvious changes to the signature.
-Al-
More information about the clamav-users
mailing list