[clamav-users] Many reports / false positives since a couple of days

Al Varnell alvarnell at mac.com
Tue Jul 31 05:17:45 EDT 2018


It helps the signature team locate those submitted files faster if you post their hash values here.

-Al-

On Tue, Jul 31, 2018 at 01:53 AM, Albrecht, Peter wrote:
> Hello,
> 
> Since Saturday (2018-07-28) we are seeing many reports from clamscan having
> found (possibly) infected files. I suspect these are false positives because checking
> the files on virustotal.com <http://virustotal.com/> returns only clamav reporting them as infected.
> 
> The reported files are mostly jar files used by our applications (e.g. httpclient-*.jar,
> httpcore-*.jar in different versions). These are the signatures which produce most
> of the reports:
> 
> Html.Malware.Agent-6625161-0
> Html.Malware.Agent-6625163-0
> Html.Malware.Agent-6625207-0
> Html.Malware.Agent-6625208-0
> Html.Malware.Agent-6625209-0
> Html.Malware.Agent-6625345-0
> 
> Currently, we have whitelisted the above signatures. I suspect that it is an error
> in the database because that's the only thing that has changed since Friday. We
> are using clamav 0.99.4 and 0.100.0 on Linux with a daily update of the virus
> signatures.
> 
> I have uploaded the file which generated the most reports yesterday to clamav.net <http://clamav.net/>
> and requested doublechecking if that would be a false positive.
> 
> Does anybody else see such a behaviour? Any ideas of what might be the reason?
> Any suggestions what to do? Whitelisting all reported signatures would not be our
> preferred solution ...
> 
> Thanks a lot,
> 
> Peter Albrecht
> Senior Linux Administrator 
> 
> Wirecard Service Technologies GmbH
> Einsteinring 35 | 85609 Aschheim | Germany
> Tel: +49 (0) 89 4424-191076
> https://www.wirecard.com <https://www.wirecard.com/>
> ________________________________________________________________________________________________________
> 
> Amtsgericht München HRB Nummer 238 150
> 
> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
> 
> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder 
> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
> 
> CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are 
> not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither 
> use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever. 
> Thank you for your cooperation.
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180731/bd8d2d71/attachment.html>


More information about the clamav-users mailing list