[clamav-users] Massive amount of false positives on Html.Trojan.Iframe-6390207-0 / Html.Trojan.Iframe-6390207-0
Alain Zidouemba
azidouemba at sourcefire.com
Wed Dec 6 17:03:47 UTC 2017
Thanks for reporting this FP Maarten. We are in the process of fixing this
and will replace this signature.
- Alain
On Wed, Dec 6, 2017 at 11:54 AM, Maarten Broekman <
maarten.broekman at gmail.com> wrote:
> VIRUS NAME: Html.Trojan.Iframe-6390207-0
> TDB: Engine:51-255,FileSize:16384-65536,Target:3
> LOGICAL EXPRESSION: 0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> ><img src="images/pixel_trans.gif" border="0" alt="" width="100%
>
> Question: how is that even something to be 'suspicious' of? There is zero
> context around it let alone match on an iframe tag.
>
> Similarly:
> VIRUS NAME: Html.Trojan.Hidelink-6390190-0
> TDB: Engine:51-255,FileSize:16384-65536,Target:0
> LOGICAL EXPRESSION: 0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> <![CDATA[ */
> var dropdown = document.getElementById("cat");
> fu
>
> This seems like a common technique for generating dropdown menus for in CMS
> applications.
>
> Maarten
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list