[clamav-users] Win.Adware.Softpulse-215 FP

Joel Esler (jesler) jesler at cisco.com
Thu Jan 21 10:46:55 EST 2016

Thanks Al.

Little bit of background, when a false positive report comes for a sample, it’s tagged under that specific signature in our system.  So if you file a false positive, it specifically comes up as a false positive in the system (I say this so that people don’t think we go back through and scan the billions of malware samples we have every time we push an update.

Joel Esler
Manager, Talos Group

On Jan 21, 2016, at 7:46 AM, Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:



On Jan 21, 2016, at 4:06 AM, Joel Esler (jesler) wrote:

Sent from my iPhone

On Jan 21, 2016, at 3:07 AM, Al Varnell wrote:
Yes, I did receive feedback the same day that Win.Adware.Softpulse-215 had been removed and I can confirm that all the others mentioned below except for Swf.Exploit.CVE_2015_5122-1 have been removed, so I’ll try to pursue that last one.

But now those three files are being identified as Win.Trojan.Agent-953878. Should I resubmit the file with that infection name?


I have been told that all of these have been corrected already.

Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group

On Jan 18, 2016, at 1:51 AM, Al Varnell <alvarnell at mac.com> wrote:

I’m hearing from a couple of ClamXav users that several applications are being identified as infected with Win.Adware.Softpulse-215.  All these applications contain the StuffIt framework.

I’ve uploaded the StuffIt Expander.app.zip to the ClamAV FP page with MD5 44f5ab1439a9c9c06b46aeb31b265e1e which included infected frameworks as follows:

(/Applications/StuffIt Expander.app/Contents/Frameworks/StuffIt.framework/Versions/B/Resources/[self]sit5.exe) = ebe780c5859a324995f9603276e5b4fa
(/Applications/StuffIt Expander.app/Contents/Frameworks/StuffIt.framework/Versions/B/Resources/[self]sitx.exe) = a9d1a8144b8ce0b3637ab11dcd48638d
(/Applications/StuffIt Expander.app/Contents/Frameworks/StuffIt.framework/Versions/B/Resources/[self]zip.exe) = 7f55eba65a7a91081f2a8ecaa4bf5dc7

For some reason VirusTotal ClamAV identifies it as Win.Adware.Softpulse-218

This definition was included in Friday’s daily.cvd Version: 21262, and I have received additional reports of FP’s on the following signatures but do not have access to samples at this time:


Help us build a comprehensive ClamAV guide:


More information about the clamav-users mailing list