[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0
eric-list at truenet.com
Tue Aug 27 11:45:32 EDT 2019
Its a straight text search for 6 strings.
Cant send the decode because it will be caught in my outbound.
# sigtool find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool decode-sigs
Doesnt seem extremely likely for a lot of false positives to me, but ymmv.
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf
Of Brian Cole via clamav-users
Sent: Tuesday, August 27, 2019 11:01 AM
To: clamav-users at lists.clamav.net
Cc: Brian Cole
Subject: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0
Has anyone else seen a false positive from ClamAV, as a result of the August
24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was
Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
cleartext file on Linux, even though CoinMiner is an executable virus
attacking Windows. The file causing the false positive is the
/var/log/sid_changes.log file, which is the text log file written by
PulledPork when it updates Snort IDS signatures. I would imagine anyone
running Snort, PulledPork and ClamAV on the same Linux machine would see
this false positive.
I submitted a false positive to ClamAV yesterday, but it may be that
whatever pattern that virus signature is looking for is too simplistic.
More information about the clamav-users