[clamav-users] FP with Java.Exploit.CVE_2012_1723-8
Sergio Fernandez
s.fernandez at albion.co.uk
Wed Mar 8 09:11:04 UTC 2017
Unsubscribe
> On 24 Jan 2017, at 14:42, Alain Zidouemba <azidouemba at sourcefire.com> wrote:
>
> Thanks Mark. We're taking a look at this now.
>
> - Alain
>
> On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan <markjallan at gmail.com> wrote:
>
>> Hi,
>>
>> I've received a few reports of FPs with the signature
>> Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all
>> places, it's being detected in the scan log which could contain sensitive
>> information.
>>
>> Apart from the fact that it's very generic, looking only for a single
>> short string, I see it's also looking for the "ANY FILE" type (0). I've
>> seen this a number of times with FPs lately, why are java sigs written to
>> detect filetype 0 rather than type 12 which is specifically for Java
>> Classes?
>>
>> VIRUS NAME: Java.Exploit.CVE_2012_1723-8
>> TARGET TYPE: ANY FILE
>> OFFSET: *
>> DECODED SIGNATURE:
>> msf_/_x_/_PayloadX.class
>>
>> Cheers
>> Mark
>>
>> PS. I padded the decoded signature with underscores to avoid this email
>> being detected as infected.
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Sergio Fernandez
Technical Consultant
Albion Computers Plc
112 Strand
London
WC2R 0AG
Tel: 0207 212 9060
Fax: 0207 240 6785
More information about the clamav-users
mailing list