[clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

Al Varnell alvarnell at mac.com
Wed May 23 19:25:38 EDT 2018


Resending in case the first doesn't get through...

On Wed, May 23, 2018 at 07:38 AM, Noel Jones wrote:
> On 5/23/2018 4:43 AM, Tilman Schmidt wrote:
>> We're getting frequent false positives from ClamAV for
>> Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
>> Googling that virus name only turns up a few hits on virscan.org <http://virscan.org/> which
>> seem to be indicating a tendency of that signature to trigger on
>> logfiles and the like, but no actual information about the threat.
>> 
>> What is that signature trying to detect?
>> Is this a Known Problem?
>> What's the best way handle it?
>> 
> 
> This signature looks for a string of binary characters.

It could also be a string of ASCII characters (not included to prevent this e-mail as being detected as infected) but the same advise would apply.

> It's not generally useful to run clamscan on pseudo-random data such
> as a tcpdumps, logfiles, raw disk images, etc. False positives can
> be expected from signatures that look for strings of binary characters.
> 
> You can tell clam to ignore this particular signature by adding the
> name to a text file named local.ign2 (or any name ending in .ign2)
> in the same directory where the clam databases live.
> 
> # local.ign2
> Win.Exploit.Unicode_Mixed-1
> 
> However, I wouldn't be surprised if the dump starts hitting some
> other binary signature if you ignore this one.
> 
> I think the best way to handle this is "don't scan pseudo-random files"
> 
> 
> 
>  -- Noel Jones
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180523/9997f502/attachment.html>


More information about the clamav-users mailing list