[clamav-users] FP Win.Trojan.Agent-1395367
Al Varnell
alvarnell at mac.com
Wed Apr 20 08:52:10 UTC 2016
This one was added on Friday in daily:21494
Similar results as before on VT:
<https://www.virustotal.com/en/file/4d81cd951bc1cc8095a0b6385baa47b9c5fb6fe1440661563a09dbd2f7e243db/analysis/>
-Al-
On Wed, Apr 20, 2016 at 01:45 AM, Hajo Locke wrote:
>
> Hello,
>
> Am 20.04.2016 um 09:31 schrieb Hajo Locke:
>> Hello,
>>
>> Am 20.04.2016 um 09:20 schrieb Al Varnell:
>>> The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP.
>>>
>>> Not sure what you mean by “automatic created md5 Signature” and given that it’s a JavaScript I don’t know how you can conclude it’s contents “looks ok”, but you did the right thing by submitting it for consideration.
>>
>> i think not every code is reviewed manually, according to the source. For me code dont looks suspicious. But lets wait for opinion of the pro's.
>>>
>>> AegisLab also seems to think it’s infected, but VT believes it’s “Probably harmless!":
>>> <https://www.virustotal.com/en/file/1f6d3e09969916e203c940124ef19b654464ed322c756530e1bcb1267cc93e2c/analysis/>
>>>
>>> This should be self evident, but for the ClamAV Signature Team’s Info: MD5=585005690e530e8047374cf14e479281
> Found same issue with other file.
> File qppr_frontend_script.min.js is reported as Win.Trojan.Agent-1395005
> This is part of Wordpress Quick Page/Post Redirect Plugin
> https://de.wordpress.org/plugins/quick-pagepost-redirect-plugin/installation/
>
> MD5=952e1832aad1345100c20d86639900e5
>>>
>>> -Al-
>>>
>>> On Wed, Apr 20, 2016 at 12:02 AM, Hajo Locke wrote:
>>>> Hello,
>>>>
>>>> there seems to be a new FP within a Wordpress Plugin.
>>>> Download ist here:
>>>> https://jetpack.com/install/?from=wporg
>>>> http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
>>>>
>>>> File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is reported as Win.Trojan.Agent-1395367
>>>>
>>>> Seems to be an automatic created md5 Signature, because content of file looks ok
>>>> http://pastebin.com/zi2TcJJF
>>>>
>>>> I already reported this as FP at http://www.clamav.net/reports/fp
>>>> I hope to get this fixed fast because our costumers use this plugin a lot and i dont want to make a new global whitelisting.
>>>>
>>>> Thanks,
>>>> Hajo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2370 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160420/08a568c8/attachment.bin>
More information about the clamav-users
mailing list