[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Eric Tykwinski eric-list at truenet.com
Tue Aug 27 11:45:32 EDT 2019


Brian,

It’s a straight text search for 6 strings.
Can’t send the decode because it will be caught in my outbound.

# sigtool –find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool –decode-sigs

Doesn’t seem extremely likely for a lot of false positives to me, but ymmv.
________________________________________________________________

From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf
Of Brian Cole via clamav-users
Sent: Tuesday, August 27, 2019 11:01 AM
To: clamav-users at lists.clamav.net
Cc: Brian Cole
Subject: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0


Has anyone else seen a false positive from ClamAV, as a result of the August
24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was
added ?

Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
cleartext file on Linux, even though CoinMiner is an executable virus
attacking Windows.  The file causing the false positive is the
/var/log/sid_changes.log file, which is the text log file written by
PulledPork when it updates Snort IDS signatures. I would imagine anyone
running Snort, PulledPork and ClamAV on the same Linux machine would see
this false positive.

I submitted a false positive to ClamAV yesterday, but it may be that
whatever pattern that virus signature is looking for is too simplistic.


Brian





More information about the clamav-users mailing list