[clamav-users] is this realy a positive? Html.Trojan.Exploit-112 FOUND

Matthew Molyett mmolyett at sourcefire.com
Wed Mar 6 10:41:40 EST 2019


Henrik,

The reference file that we have for that signature appears to
contain CVE-2006-3227.

If you can share the file then use the FP reporting option <
http://www.clamav.net/reports/fp> to have the signature reassessed.

Thank you.

On Mon, Mar 4, 2019 at 3:57 AM Al Varnell via clamav-users <
clamav-users at lists.clamav.net> wrote:

> It's been in the database for many years, so doubt that it's invalid, but
> could still be an FP in your specific case. The signature looks like this:
>
> VIRUS NAME: Html.Trojan.Exploit-112
> TARGET TYPE: HTML
> OFFSET: *
> bc f3 e3 f2 e9 f0 f4
> [I padded the hex string with spaces to prevent this e-mail from being
> detected].
>
> ClamAV doesn't publish detailed information most of it's signatures. Only
> the original signature writer might have it in his notes and I doubt he
> still works for them. Each vendor uses it's own unique name for signatures,
> so it's no wonder you weren't able to find anything, although I did find
> this from Dec 2017 which appears to believe it might be a False Positive
> from a Time Machine backup: <
> https://forum.qnapclub.de/thread/45902-virenfund-timemachinebackup-wie-finde-ich-die-dateien-auf-dem-macbook/
> >.
>
> You should upload that file to <https://www.virustotal.com> to help make
> your case.
>
> Then it should be uploaded to <http://www.clamav.net/reports/fp> so that
> it get's to the ClamAV signature team for resolution.
>
> You may get faster results if you post the link to VirusTotal results and
> a hash value for the file back here, to make it easier for all to help
> resolve it.
>
> -Al-
>
> > On Mar 4, 2019, at 00:24, Henrik Hoeg Thomsen1 via clamav-users <
> clamav-users at lists.clamav.net> wrote:
> >
> > Our Clamav scan just reported this signature to be forund in one of my
> syslogarchives.
> >
> > Html.Trojan.Exploit-112 FOUND
> >
> > My best guess is that it is false-positive, as  this filesystem is
> totally isolated from any interactive user access.
> >
> > But where can i find the details behind this alert ?
> >
> > Google has no match on this.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 

Matthew Molyett
Malware Researcher

mmolyett at cisco.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190306/ba8c56f3/attachment.html>


More information about the clamav-users mailing list