[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Al Varnell alvarnell at mac.com
Sun Feb 14 20:48:51 UTC 2016 

I’ve had one ClamXav user complain on Friday that all the .epub and kindle downloads from http://www.gutenberg.org/ebooks/3726 were infected.  When decompressed it reveals several files with ".txt.html" extensions.

We seen problems with such all encompassing signatures in the past so I suspect this one needs to be trimmed a bit.

-Al-

On Sun, Feb 14, 2016 at 11:47 AM, Steve basford wrote:
> 
> Hi,
> 
> Here's the entry for
> Zip.Suspect.MacroDoubleExtension-zippwd
> 
> (?i)((\.doc)|([ _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
> 
> Which is covering a lot of combinations in one sig... personally I split foxhole ones into smaller subsections...
> 
> Use --debug and grep for cdbname in the output.
> 
> You can whitelist sig name using a .ign2 database.
> 
> Cheers,
> 
> Steve
> Web: sanesecurity.com
> Blog: sanesecurity.blogspot.com
> 
> 
> 
> On 14 February 2016 19:00:12 <nerslbmail at yahoo.com> wrote:
> 
>> Hi,false positives started coming after update to (daily.cvd version: 21360)my submissions for false-positive reports on clamav.net keep reporting "The sample is empty."
>> 
>> How to reproduce:
>> mkdir /tmp/test_dir
>> touch /tmp/test_dir/txt_csv.jar.0
>> jar cf test_dir.jar /tmp/test_dir
>> # or
>> zip -r test_dir.zip /tmp/test_dir
>> 
>> # then scan the file
>> clamscan test_dir.jar test_dir.zip
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2366 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160214/4849908d/attachment.bin>

More information about the clamav-users mailing list