[clamav-users] Massive amount of false positives on Html.Trojan.Iframe-6390207-0 / Html.Trojan.Iframe-6390207-0
Maarten Broekman
maarten.broekman at gmail.com
Wed Dec 6 16:54:17 UTC 2017
VIRUS NAME: Html.Trojan.Iframe-6390207-0
TDB: Engine:51-255,FileSize:16384-65536,Target:3
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
><img src="images/pixel_trans.gif" border="0" alt="" width="100%
Question: how is that even something to be 'suspicious' of? There is zero
context around it let alone match on an iframe tag.
Similarly:
VIRUS NAME: Html.Trojan.Hidelink-6390190-0
TDB: Engine:51-255,FileSize:16384-65536,Target:0
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
<![CDATA[ */
var dropdown = document.getElementById("cat");
fu
This seems like a common technique for generating dropdown menus for in CMS
applications.
Maarten
More information about the clamav-users
mailing list