[clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

Al Varnell alvarnell at mac.com
Wed May 23 06:18:42 EDT 2018

On Wed, May 23, 2018 at 02:43 AM, Tilman Schmidt wrote:
> We're getting frequent false positives from ClamAV for
> Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
> Googling that virus name only turns up a few hits on virscan.org <http://virscan.org/> which
> seem to be indicating a tendency of that signature to trigger on
> logfiles and the like, but no actual information about the threat.

It's a relatively old signature as indicated by the fact it's in the main.cvd.

> What is that signature trying to detect?

$ sigtool -fWin.Exploit.Unicode_Mixed-1
[main.ndb] Win.Exploit.Unicode_Mixed-1:0:*:6a5841514144415a41424152414c41594149415141494151414941684141415a3141494149414a31314149414941424142414251493141495149414951493131314149414a5159415a4241424142414241426b4d4147423975344a42

> Is this a Known Problem?

Probably not since you are the first to report it here, after all this time.

Here's an example where 33 other scanners found one such file to be infected, which may give you a better idea of what the threat is:

Al Varnell
Mountain View, CA
ClamXAV User

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180523/51c0bac8/attachment.html>

More information about the clamav-users mailing list