[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Al Varnell alvarnell at mac.com
Mon Feb 15 00:34:28 UTC 2016 

I attempted to submit the sample I have to http://www.clamav.net/reports/fp and it was similarly rejected as "empty."  Scanned the file on my computer after updating definitions still shows it as infected.  Uploading it to VirusTotal results in only a ClamAV detection:
<https://www.virustotal.com/en/file/87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a/analysis/1455495993/>.

Regardless of whether the signature is right or wrong, the ClamAV False Positive submission system is broken and needs to be fixed.
The file I submitted was pg3726-images.epub downloaded from
<http://www.gutenberg.org/cache/epub/3726/pg3726-images.epub> 
with MD5=6a2c8a5085e7fbea72643d78962c6897 just in case it actually made it to the database.

-Al-

On Sun, Feb 14, 2016 at 03:14 PM, nerslbmail at yahoo.com wrote:
> 
> I understand it can be whitelisted, but I posted to the list in hope that the person who introduced the problem to the file daily.cd on 2/12/2016 will read the thread and roll back the changes.
> 
> Thanks!
> 
> 
>    On Sunday, February 14, 2016 11:48 AM, Steve basford <steveb_clamav at sanesecurity.com> wrote:
> 
> 
> Hi,
> 
> Here's the entry for
> Zip.Suspect.MacroDoubleExtension-zippwd
> 
> (?i)((\.doc)|([ 
> _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ 
> _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
> 
> Which is covering a lot of combinations in one sig... personally I split 
> foxhole ones into smaller subsections...
> 
> Use --debug and grep for cdbname in the output.
> 
> You can whitelist sig name using a .ign2 database.
> 
> Cheers,
> 
> Steve
> Web: sanesecurity.com
> Blog: sanesecurity.blogspot.com
> 
> 
> 
> On 14 February 2016 19:00:12 <nerslbmail at yahoo.com> wrote:
> 
>> Hi,false positives started coming after update to (daily.cvd version: 
>> 21360)my submissions for false-positive reports on clamav.net keep 
>> reporting "The sample is empty."
>> 
>> How to reproduce:
>> mkdir /tmp/test_dir
>> touch /tmp/test_dir/txt_csv.jar.0
>> jar cf test_dir.jar /tmp/test_dir
>> # or
>> zip -r test_dir.zip /tmp/test_dir
>> 
>> # then scan the file
>> clamscan test_dir.jar test_dir.zip
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2366 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160214/ec37e372/attachment.bin>

More information about the clamav-users mailing list