[clamav-users] - False Positive
Al Varnell
alvarnell at mac.com
Thu Jul 9 18:48:03 UTC 2015
I used to be able to scan the database to determine when each signature was added, but that list has been eliminated so I can’t verify, but when an older file is suddenly identified as infected, my first thought is that this must be a new signature. Just because the vulnerability has been known since 2012 doesn’t mean that ClamAV has been able to detect it since then.
-Al-
> On Jul 9, 2015, at 11:22 AM, Ingo Bente <ingo.bente at gmail.com> wrote:
>
> The file has been subject to daily scanning since Mar 2015. According to
> the mtime, the file has not been changed since. However, the positive
> finding from ClamAV occurred just yesterday. That's why it seems to me that
> this might be a false positive.
>
> Please let me know what you think.
>
> Cheers
> Ingo
>
> On Thu, 9 Jul 2015 at 19:33 Al Varnell <alvarnell at mac.com> wrote:
>
>> I’m not sure why you would consider a 2012 CVE to be an indicator of a
>> false positive. Have you read the vulnerability description?
>> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0167>
>>
>> If that document contains an EMF image it could cause a heap-based buffer
>> overflow in those older, unmatched versions of Microsoft Office.
>>
>> -Al-
More information about the clamav-users
mailing list