[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0
Eric Tykwinski
eric-list at truenet.com
Tue Aug 27 15:45:32 UTC 2019
Brian,
It’s a straight text search for 6 strings.
Can’t send the decode because it will be caught in my outbound.
# sigtool –find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool –decode-sigs
Doesn’t seem extremely likely for a lot of false positives to me, but ymmv.
________________________________________________________________
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf
Of Brian Cole via clamav-users
Sent: Tuesday, August 27, 2019 11:01 AM
To: clamav-users at lists.clamav.net
Cc: Brian Cole
Subject: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0
Has anyone else seen a false positive from ClamAV, as a result of the August
24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was
added ?
Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
cleartext file on Linux, even though CoinMiner is an executable virus
attacking Windows. The file causing the false positive is the
/var/log/sid_changes.log file, which is the text log file written by
PulledPork when it updates Snort IDS signatures. I would imagine anyone
running Snort, PulledPork and ClamAV on the same Linux machine would see
this false positive.
I submitted a false positive to ClamAV yesterday, but it may be that
whatever pattern that virus signature is looking for is too simplistic.
Brian
More information about the clamav-users
mailing list