[clamav-users] False positive -- I hope

Paul Kosinski clamav-users at iment.com
Sun Jan 28 19:54:04 UTC 2018


Using clamav.0.99.3 to scan the latest Firefox ESR (52.6.0), and using
various extra signatures from Sane Security, I get:

  firefox-52.6.0-esr-32.tar.bz2: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
  firefox-52.6.0-esr-64.tar.bz2: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND

I get the same with Thunderbird (52.6.0):

  thunderbird-52.6.0-esr-32.tar.bz2: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND
  thunderbird-52.6.0-esr-64.tar.bz2: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND

I *think* that this signature flags *all* zipped JS files, and (IIRC)
both Firefox and Thunderbird have JS-containing JAR files. I hope that
is all it is. 

P.S. My download script cleans up the filenames to make them easier to
understand and also removes spaces, which make the filenames awkward as
command line arguments.



More information about the clamav-users mailing list