[clamav-users] Many reports / false positives since a couple of days
Al Varnell
alvarnell at mac.com
Tue Jul 31 09:17:45 UTC 2018
It helps the signature team locate those submitted files faster if you post their hash values here.
-Al-
On Tue, Jul 31, 2018 at 01:53 AM, Albrecht, Peter wrote:
> Hello,
>
> Since Saturday (2018-07-28) we are seeing many reports from clamscan having
> found (possibly) infected files. I suspect these are false positives because checking
> the files on virustotal.com <http://virustotal.com/> returns only clamav reporting them as infected.
>
> The reported files are mostly jar files used by our applications (e.g. httpclient-*.jar,
> httpcore-*.jar in different versions). These are the signatures which produce most
> of the reports:
>
> Html.Malware.Agent-6625161-0
> Html.Malware.Agent-6625163-0
> Html.Malware.Agent-6625207-0
> Html.Malware.Agent-6625208-0
> Html.Malware.Agent-6625209-0
> Html.Malware.Agent-6625345-0
>
> Currently, we have whitelisted the above signatures. I suspect that it is an error
> in the database because that's the only thing that has changed since Friday. We
> are using clamav 0.99.4 and 0.100.0 on Linux with a daily update of the virus
> signatures.
>
> I have uploaded the file which generated the most reports yesterday to clamav.net <http://clamav.net/>
> and requested doublechecking if that would be a false positive.
>
> Does anybody else see such a behaviour? Any ideas of what might be the reason?
> Any suggestions what to do? Whitelisting all reported signatures would not be our
> preferred solution ...
>
> Thanks a lot,
>
> Peter Albrecht
> Senior Linux Administrator
>
> Wirecard Service Technologies GmbH
> Einsteinring 35 | 85609 Aschheim | Germany
> Tel: +49 (0) 89 4424-191076
> https://www.wirecard.com <https://www.wirecard.com/>
> ________________________________________________________________________________________________________
>
> Amtsgericht München HRB Nummer 238 150
>
> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
>
> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
>
> CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
> not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
> use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever.
> Thank you for your cooperation.
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180731/bd8d2d71/attachment.htm>
More information about the clamav-users
mailing list