[clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0
Christian Balzer
chibi at gol.com
Tue Dec 27 02:27:14 UTC 2016
Hello Al,
On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote:
> Although most, if not all the Win.Trojan.Toa old signatures were either dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would appear to be a new issue.
>
Be that as it may, I'd say this isn't a new issue as such but a
continuation of what is clearly insufficient QA with these signatures.
I'd love to be more helpful, but since this are large mails I don't have a
complete bounce (Exim suppresses those over 100KB) and I don't have easy
access to any of the senders.
But it's with near certainty some attachment in a MS file format that
triggers these.
Regards,
Christian
> -Al-
>
> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
> >
> > Hello,
> >
> > On Mon, 26 Dec 2016 19:21:25 -0000 Steve Basford wrote:
> >
> >>
> >> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> >>> In keeping with the other false positive reports I have more than 400
> >>> CentOS servers report below after yesterday's freshclam update:
> >>
> >> Yes, nashorn.jar seems to get hit too...
> >>
> >> eg:
> >>
> >> fp2\11476331d01: Win.Trojan.Toa-5372078-0
> >> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
> >> fp2\3A627716d01: Win.Trojan.Toa-5372078-0
> >> fp2\firefox-hotfix at mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> >> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
> >> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
> >> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
> >>
> >> and the earlier reported FP's are still there:
> >>
> >> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
> >> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
> >> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
> >> fp\loop at mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> >> fp\omni.ja: Win.Trojan.Toa-5370166-0
> >> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
> >> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
> >>
> >> etc.
> >>
> >> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done
> >> in full after holidays.
> >>
> > I can only second that.
> > And add Win.Trojan.Toa-5368540-0 to the list of FPs.
> >
> > At this rate the previous bit about "Clamscan becoming its own worst
> > enemy." can not be underestimated.
> > This is the 2nd, VERY visible FP avalanche in so many months and since it
> > affects a lot of people here including internal business mails.
> > Reflecting badly on all OSS projects and SW.
> >
> > Christian
> >
> >> As the issues go on...
> >>
> >> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
> >>
> >> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0
--
Christian Balzer Network/Systems Engineer
chibi at gol.com Global OnLine Japan/Rakuten Communications
http://www.gol.com/
More information about the clamav-users
mailing list