[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Brian Cole cole at echoworx.com
Tue Aug 27 11:00:59 EDT 2019

Has anyone else seen a false positive from ClamAV, as a result of the August 24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was added ?

Specifically, we are seeing ClamAV think that CoinMiner virus exists in a cleartext file on Linux, even though CoinMiner is an executable virus attacking Windows.  The file causing the false positive is the /var/log/sid_changes.log file, which is the text log file written by PulledPork when it updates Snort IDS signatures. I would imagine anyone running Snort, PulledPork and ClamAV on the same Linux machine would see this false positive.

I submitted a false positive to ClamAV yesterday, but it may be that whatever pattern that virus signature is looking for is too simplistic.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190827/38382aca/attachment.html>

More information about the clamav-users mailing list