[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive
Steve basford
steveb_clamav at sanesecurity.com
Sun Feb 14 19:47:55 UTC 2016
Hi,
Here's the entry for
Zip.Suspect.MacroDoubleExtension-zippwd
(?i)((\.doc)|([
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
_.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
Which is covering a lot of combinations in one sig... personally I split
foxhole ones into smaller subsections...
Use --debug and grep for cdbname in the output.
You can whitelist sig name using a .ign2 database.
Cheers,
Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
On 14 February 2016 19:00:12 <nerslbmail at yahoo.com> wrote:
> Hi,false positives started coming after update to (daily.cvd version:
> 21360)my submissions for false-positive reports on clamav.net keep
> reporting "The sample is empty."
>
> How to reproduce:
> mkdir /tmp/test_dir
> touch /tmp/test_dir/txt_csv.jar.0
> jar cf test_dir.jar /tmp/test_dir
> # or
> zip -r test_dir.zip /tmp/test_dir
>
> # then scan the file
> clamscan test_dir.jar test_dir.zip
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list