[clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

Alain Zidouemba azidouemba at sourcefire.com
Tue Aug 27 12:43:20 EDT 2019


The signature needs a little tweaking, and will be revised. Revision 0
(Txt.Coinminer.Generic-7132166-0) has been dropped and this will be
reflected in the next  signature update.

- Alain

On Tue, Aug 27, 2019 at 11:25 AM Brian Cole via clamav-users <
clamav-users at lists.clamav.net> wrote:

>
>
> Has anyone else seen a false positive from ClamAV, as a result of the
> August 24 signature update when the signature
> Txt.Coinminer.Generic-7132166-0 was added ?
>
>
>
> Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
> cleartext file on Linux, even though CoinMiner is an executable virus
> attacking Windows.  The file causing the false positive is the
> /var/log/sid_changes.log file, which is the text log file written by
> PulledPork when it updates Snort IDS signatures. I would imagine anyone
> running Snort, PulledPork and ClamAV on the same Linux machine would see
> this false positive.
>
>
>
> I submitted a false positive to ClamAV yesterday, but it may be that
> whatever pattern that virus signature is looking for is too simplistic.
>
>
>
> …Brian
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190827/7ca569d6/attachment.html>


More information about the clamav-users mailing list