[clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?
Mark Foley
mfoley at novatec-inc.com
Thu Feb 16 21:16:49 UTC 2017
On Thu, 16 Feb 2017 21:21:06 +0100 Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 16.02.2017 um 21:17 schrieb Mark Foley:
> > I am running a scheduled clamscan on the IMAP mail folders. The command is:
> >
> > /usr/local/bin/clamscan -a --detect-pua=yes --no-summary --stdout --infected \
> > --recursive --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/
> >
> > This scan turns up the following:
> >
> >
> > /home/HPRS/dsmith/Maildir/.Sent Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S: Win.Trojan.DarkKomet-5711346-0 FOUND
> >
> > /home/HPRS/dsmith/Maildir/.Sent Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S!...!(72)MAIL:SEC_deficiency_letter_to_Timbervest.pdf: Win.Trojan.DarkKomet-5711346-0 FOUND
> >
> > This email has 4 .pdf attachments. When I run clamscan manually on any of them
> > I get no infections:
> >
> > $ clamscan --detect-pua=yes --scan-ole2=yes 2011.06.08\ Notification\ of\ Distribution.pdf
> > 2011.06.08 Notification of Distribution.pdf: OK
>
> why --scan-ole2=yes when you scan a pdf?
> --scan-pdf makes more sense
For hopefully consistent results, I was using the same clamscan switches the schedule
clamscan job used. With those switches (plus --scan-mail=yes) the scheduled
clamscan found the infections. I didn't use --scan-mail=yes in my manual test
because I had unpacked the attachments from the email.
In any case, running clamscan --scan-pdf also turned up no infections:
So the question stands, Why does it find infections when run on the mail file,
but not on the attachments (or mail body text) when run manually?
--Mark
More information about the clamav-users
mailing list