[clamav-users] is this realy a positive? Html.Trojan.Exploit-112 FOUND

[Al Varnell]

It's been in the database for many years, so doubt that it's invalid, but could still be an FP in your specific case. The signature looks like this:

VIRUS NAME: Html.Trojan.Exploit-112
TARGET TYPE: HTML
OFFSET: *
bc f3 e3 f2 e9 f0 f4
[I padded the hex string with spaces to prevent this e-mail from being detected].

ClamAV doesn't publish detailed information most of it's signatures. Only the original signature writer might have it in his notes and I doubt he still works for them. Each vendor uses it's own unique name for signatures, so it's no wonder you weren't able to find anything, although I did find this from Dec 2017 which appears to believe it might be a False Positive from a Time Machine backup: <https://forum.qnapclub.de/thread/45902-virenfund-timemachinebackup-wie-finde-ich-die-dateien-auf-dem-macbook/>.

You should upload that file to <https://www.virustotal.com> to help make your case.

Then it should be uploaded to <http://www.clamav.net/reports/fp> so that it get's to the ClamAV signature team for resolution.

You may get faster results if you post the link to VirusTotal results and a hash value for the file back here, to make it easier for all to help resolve it.

-Al-

> On Mar 4, 2019, at 00:24, Henrik Hoeg Thomsen1 via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Our Clamav scan just reported this signature to be forund in one of my syslogarchives. 
> 
> Html.Trojan.Exploit-112 FOUND 
> 
> My best guess is that it is false-positive, as  this filesystem is totally isolated from any interactive user access. 
> 
> But where can i find the details behind this alert ? 
> 
> Google has no match on this. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3880 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190304/2bdba74d/attachment.bin>