[clamav-users] FP with Java.Exploit.CVE_2012_1723-8
Alain Zidouemba
azidouemba at sourcefire.com
Tue Jan 24 14:42:21 UTC 2017
Thanks Mark. We're taking a look at this now.
- Alain
On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan <markjallan at gmail.com> wrote:
> Hi,
>
> I've received a few reports of FPs with the signature
> Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all
> places, it's being detected in the scan log which could contain sensitive
> information.
>
> Apart from the fact that it's very generic, looking only for a single
> short string, I see it's also looking for the "ANY FILE" type (0). I've
> seen this a number of times with FPs lately, why are java sigs written to
> detect filetype 0 rather than type 12 which is specifically for Java
> Classes?
>
> VIRUS NAME: Java.Exploit.CVE_2012_1723-8
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> msf_/_x_/_PayloadX.class
>
> Cheers
> Mark
>
> PS. I padded the decoded signature with underscores to avoid this email
> being detected as infected.
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list