[clamav-users] FPs for Txt.Malware.Agent-XXXXX
Mark Allan
markjallan at gmail.com
Wed Nov 23 11:04:58 UTC 2016
Thanks for dropping those 3, Joel, however there are still at least 24 signatures causing problems:
Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195
Given the vast majority of those are consecutive numbers, it looks like someone has uploaded the entire OpenLayers library and tried to report it as infected.
Best regards
Mark
> On 22 Nov 2016, at 9:42 pm, Al Varnell <alvarnell at mac.com> wrote:
>
> I see that Daily - 22584 drops three of them:
>
> * Txt.Malware.Agent-1811885
>
> * Txt.Malware.Agent-1835895
>
> * Txt.Malware.Agent-1835897
>
> -Al-
>
> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
>>
>> I am seeing these mostly on files that comprise the OpenLayers library in
>> phpMyAdmin 4.
>>
>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) <jesler at cisco.com>
>> wrote:
>>
>>> Mark,
>>>
>>> Thanks for the feedback, you are right, I am experiencing some high counts
>>> in the Txt.Malware.Agent family.
>>>
>>> I’ve disabled this engine for now.
>>>
>>> --
>>> Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Nov 22, 2016, at 12:02 PM, Mark Allan <markjallan at gmail.com<mailto:m
>>> arkjallan at gmail.com>> wrote:
>>>
>>> Hi all,
>>>
>>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
>>> containing a number of files which ClamAV incorrectly detects as various
>>> strains of Txt.Malware.Agent
>>>
>>> My experience may be slightly skewed, but it seems that the rate of FPs
>>> has increased a lot lately, and they mostly appear to be being caused by
>>> hash-based signatures. I'm wondering if this is related to Joel's recent
>>> admission that the signature generation process is almost entirely
>>> automated now.
>>>
>>> Is it possible that someone is targeting ClamAV and reporting known-clean
>>> files as if they were infected? To what end, I'm not sure, but I can't
>>> shake the feeling that something's not right...
>>>
>>> Mark
>>>
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list