[clamav-users] - False Positive
Shaun Hurley
shahurle at sourcefire.com
Thu Jul 9 19:39:02 UTC 2015
Ingo,
It looks like this sig was originally published on June 11th, 2015.
We dropped the signature this afternoon to review why it triggered a false
positives.
Thank you for making us aware of this issue.
Please let us know if there are any other issue.
Thanks again,
Shaun Hurley
ClamAV Malware Team
On Thu, Jul 9, 2015 at 2:48 PM, Al Varnell <alvarnell at mac.com> wrote:
> I used to be able to scan the database to determine when each signature
> was added, but that list has been eliminated so I can’t verify, but when an
> older file is suddenly identified as infected, my first thought is that
> this must be a new signature. Just because the vulnerability has been
> known since 2012 doesn’t mean that ClamAV has been able to detect it since
> then.
>
> -Al-
>
> > On Jul 9, 2015, at 11:22 AM, Ingo Bente <ingo.bente at gmail.com> wrote:
> >
> > The file has been subject to daily scanning since Mar 2015. According to
> > the mtime, the file has not been changed since. However, the positive
> > finding from ClamAV occurred just yesterday. That's why it seems to me
> that
> > this might be a false positive.
> >
> > Please let me know what you think.
> >
> > Cheers
> > Ingo
> >
> > On Thu, 9 Jul 2015 at 19:33 Al Varnell <alvarnell at mac.com> wrote:
> >
> >> I’m not sure why you would consider a 2012 CVE to be an indicator of a
> >> false positive. Have you read the vulnerability description?
> >> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0167>
> >>
> >> If that document contains an EMF image it could cause a heap-based
> buffer
> >> overflow in those older, unmatched versions of Microsoft Office.
> >>
> >> -Al-
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list