[clamav-users] FPs for Txt.Malware.Agent-XXXXX

Al Varnell alvarnell at mac.com
Tue Nov 22 21:42:14 UTC 2016 

I see that Daily - 22584 drops three of them:

   * Txt.Malware.Agent-1811885

   * Txt.Malware.Agent-1835895

   * Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
> 
> I am seeing these mostly on files that comprise the OpenLayers library in
> phpMyAdmin 4.
> 
> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) <jesler at cisco.com>
> wrote:
> 
>> Mark,
>> 
>> Thanks for the feedback, you are right, I am experiencing some high counts
>> in the Txt.Malware.Agent family.
>> 
>> I’ve disabled this engine for now.
>> 
>> --
>> Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
>> 
>> 
>> 
>> 
>> 
>> 
>> On Nov 22, 2016, at 12:02 PM, Mark Allan <markjallan at gmail.com<mailto:m
>> arkjallan at gmail.com>> wrote:
>> 
>> Hi all,
>> 
>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
>> containing a number of files which ClamAV incorrectly detects as various
>> strains of Txt.Malware.Agent
>> 
>> My experience may be slightly skewed, but it seems that the rate of FPs
>> has increased a lot lately, and they mostly appear to be being caused by
>> hash-based signatures.  I'm wondering if this is related to Joel's recent
>> admission that the signature generation process is almost entirely
>> automated now.
>> 
>> Is it possible that someone is targeting ClamAV and reporting known-clean
>> files as if they were infected?  To what end, I'm not sure, but I can't
>> shake the feeling that something's not right...
>> 
>> Mark
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3573 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20161122/c6376652/attachment.bin>

More information about the clamav-users mailing list