[clamav-users] HTML.Exploit.Heap-2 False Positive?

[Shaun Hurley]

Thank you. I'll take a look at what the issue is.

Shaun


On Mon, May 19, 2014 at 2:02 PM, Al Varnell <alvarnell at mac.com> wrote:

> On May 13, 2014, at 8:19 AM, Shaun Hurley <shahurle at sourcefire.com> wrote:
>
> > A ClamXav user complained of having a Google Chrome extension “WebGL
> > Inspector” which he has used since 2012 was said to be infected with
> > HTML.Exploit.Heap-2.
> >
> > I was able to obtain a later version of that extension and verified that
> > the gli.all.js file in that extension scans as infected.
> >
> > I was not able to locate when this signature was added on the
> > clamav-virusdb list.
> >
> > I was able to easily confirm that the file contains all elements of the
> > signature (four ascii strings separated by “any strings” of varying
> length.
> >
> > I haven’t found any clues on what an actual infected file might be.
> >
> > I submitted it to VirusTotal where only ClamAV® detected it
> > <
> >
> https://www.virustotal.com/en/file/36fd57cce150c5e8ea26168823e84b19e109592c6586496b605306cbb482d982/analysis/1399908003/
> >>
> >
> > I successfully uploaded to you using your "Submit a false positive" form.
> > MD5 = 6968c0d2ad15e68b33bb30074ddbb7a6
> >
> >
> > -Al-
> > --
> > Al Varnell
> > Mountain View, CA
> >
> > -------------
> > Al,
> >
> > Sorry, I didn't have the original email that was sent to the list. After
> > further analysis, I've modified the signature so that it shouldn't
> generate
> > as many false positives.
> >
> > Thank you,
> > Shaun Hurley
>
> Here’s another one that doesn’t seem to have been deployed.  I’m still
> getting an FP on the file I submitted and I don’t see any obvious changes
> to the signature.
>
> -Al-
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>