[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

[Al Varnell]

Attachments are not allowed here. Be sure you submit it to the False Positive Report site and post the hash value back here.


Sent from Janet's iPad

-Al-

On Feb 23, 2016, at 5:55 AM, Tsutomu Oyamada wrote:
> There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd".
> (see attached file)
> To resolve this false positive when it does?
> 
> On Wed, 17 Feb 2016 20:16:02 -0800 Dennis Peterson wrote:
>> My experience with these kind of failures is that the pattern is not properly anchored or the writer doesn't understand greedy grep patterns or both. Fallout from the new pcregrep, perhaps? I've not analyzed it so am speculating here, but lessons learned after decades of doing this is of regex results amaze you then you have probably screwed up somewhere when writing the pattern. Or as one of my staff liked to say, something we're sure of is wrong.
>> 
>> dp
>> 
>> On 2/16/16 7:02 PM, Al Varnell wrote:
>>> Resubmited.
>>> 
>>> 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub
>>> 
>>> -Al-
>>> 
>>> On Feb 14, 2016, at 4:34 PM, Al Varnell wrote:
>>>> I attempted to submit the sample I have to http://www.clamav.net/reports/fp and it was similarly rejected as "empty."  Scanned the file on my computer after updating definitions still shows it as infected.  Uploading it to VirusTotal results in only a ClamAV detection:
>>>> <https://www.virustotal.com/en/file/87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a/analysis/1455495993/>.