[clamav-users] FP with Java.Exploit.CVE_2012_1723-8
Mark Allan
markjallan at gmail.com
Tue Jan 24 10:53:47 UTC 2017
Hi,
I've received a few reports of FPs with the signature Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all places, it's being detected in the scan log which could contain sensitive information.
Apart from the fact that it's very generic, looking only for a single short string, I see it's also looking for the "ANY FILE" type (0). I've seen this a number of times with FPs lately, why are java sigs written to detect filetype 0 rather than type 12 which is specifically for Java Classes?
VIRUS NAME: Java.Exploit.CVE_2012_1723-8
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
msf_/_x_/_PayloadX.class
Cheers
Mark
PS. I padded the decoded signature with underscores to avoid this email being detected as infected.
More information about the clamav-users
mailing list