[clamav-users] javascript ZIP virus not caught?

Al Varnell alvarnell at mac.com
Tue Mar 15 04:25:51 UTC 2016 

Then you would probably benefit from a SecuriteInfo subscription that includes an entire Unofficial database dedicated to JavaScript 
<https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml>.

Sent from Janet's iPad

-Al-

On Mar 14, 2016, at 9:08 PM, Scott Galambos wrote:
> Scanning these ZIP/.js viruses has a hit rate of about 35%.  35% of all antivirus packages will say they are viruses.  For example running one through https://www.virustotal.com will say out of about 53 antivirus programs, 16 flag it as a virus.
> 
> They are definitely malware and should be stopped.
> 
> --
> Thanks for the response.  All I know is I keep getting them, and they are definitely unwanted.  Here are a couple examples (I've renamed them):
> http://sites.extremehosting.ca/temp/
> 
> On 2016-03-14 11:52 PM, Al Varnell wrote:
>> I don’t have any answers, but you have raised my curiosity level.
>> What exactly is the threat from these javascript files you are
>> finding?  In checking the over four million virus signatures provided
>> in the official ClamAV database, I see there are only 440 labeled as
>> “.js” based and 94% of those are in the main.cvd which means they are
>> old.  Of the 28 in daily.cvd, 22 are labeled as PUA (potentially
>> unwanted applications) which normally indicate low/no threat.  I’d
>> have to conclude that either there have not been sufficient js file
>> samples submitted which turn out to be threats or they are somehow
>> low priority to the signature writers here.
>> 
>> Perhaps I’m just out-of-touch since I deal almost exclusively with
>> Apple Mac threats, but as far as I know there are no e-mail
>> javascript threats to OS X or it’s applications and about the worst
>> we see via web browsers are fake ransomeware and tech-support
>> pop-ups.
>> 
>> -Al-
>> 
>> On Mon, Mar 14, 2016 at 08:03 PM, Scott Galambos wrote:
>>> 
>>> I've upgraded to the latest Clamav 0.99.1 on Linux/Sendmail and it
>>> still is not catching all these ZIP files with .js files inside
>>> them.  Is clamav suppose to stop these?
>>> 
>>> I constantly get these messages with .ZIP attachments that I would
>>> think clamav should stop.  Am I expecting too much?  missing
>>> something?

More information about the clamav-users mailing list