[clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?
Mark Foley
mfoley at novatec-inc.com
Thu Feb 16 20:17:35 UTC 2017
I am running a scheduled clamscan on the IMAP mail folders. The command is:
/usr/local/bin/clamscan -a --detect-pua=yes --no-summary --stdout --infected \
--recursive --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/
This scan turns up the following:
/home/HPRS/dsmith/Maildir/.Sent Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S: Win.Trojan.DarkKomet-5711346-0 FOUND
/home/HPRS/dsmith/Maildir/.Sent Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S!...!(72)MAIL:SEC_deficiency_letter_to_Timbervest.pdf: Win.Trojan.DarkKomet-5711346-0 FOUND
This email has 4 .pdf attachments. When I run clamscan manually on any of them
I get no infections:
$ clamscan --detect-pua=yes --scan-ole2=yes 2011.06.08\ Notification\ of\ Distribution.pdf
2011.06.08 Notification of Distribution.pdf: OK
----------- SCAN SUMMARY -----------
Known viruses: 5832752
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.41 MB
Data read: 0.08 MB (ratio 5.20:1)
Time: 5.877 sec (0 m 5 s)
Why? This is making it difficult to determine if there is an actual problem.
This email is also from 2013, so unlikely it suddenly became infected. I'm
assuming a new signature was added. This "malware" (?) started being reported
Feburary 1st.
I run freshclam twice a day.
Thanks --Mark
More information about the clamav-users
mailing list