[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive
nerslbmail at yahoo.com
nerslbmail at yahoo.com
Sun Feb 14 23:14:24 UTC 2016
I understand it can be whitelisted, but I posted to the list in hope that the person who introduced the problem to the file daily.cd on 2/12/2016 will read the thread and roll back the changes.
Thanks!
On Sunday, February 14, 2016 11:48 AM, Steve basford <steveb_clamav at sanesecurity.com> wrote:
Hi,
Here's the entry for
Zip.Suspect.MacroDoubleExtension-zippwd
(?i)((\.doc)|([
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
_.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
Which is covering a lot of combinations in one sig... personally I split
foxhole ones into smaller subsections...
Use --debug and grep for cdbname in the output.
You can whitelist sig name using a .ign2 database.
Cheers,
Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
On 14 February 2016 19:00:12 <nerslbmail at yahoo.com> wrote:
> Hi,false positives started coming after update to (daily.cvd version:
> 21360)my submissions for false-positive reports on clamav.net keep
> reporting "The sample is empty."
>
> How to reproduce:
> mkdir /tmp/test_dir
> touch /tmp/test_dir/txt_csv.jar.0
> jar cf test_dir.jar /tmp/test_dir
> # or
> zip -r test_dir.zip /tmp/test_dir
>
> # then scan the file
> clamscan test_dir.jar test_dir.zip
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list