[clamav-users] Html.Malware.Agent-7380889-0 false positive on Apache files?

Al Varnell alvarnell at mac.com
Wed Nov 13 01:13:24 UTC 2019 

The offending signature was previously posted, along with it's location in the daily.hdb section of the daily.cld/.cvd signature database:

[daily.hsb] 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73

You should see that it is dropped in the next daily update around eight hours from now.

-Al-

> On Nov 12, 2019, at 14:05, Christina Qian <christina.qian at ayasdi.com> wrote:
> 
> Hi Alain,
> 
> Thank you very much for your quick response. May I ask what's the offending signature, where it located, and how was it removed? Thanks. 
> 
> Christina Qian
> 
> 
> On Tue, Nov 12, 2019 at 1:22 PM Alain Zidouemba <azidouemba at sourcefire.com <mailto:azidouemba at sourcefire.com>> wrote:
> The alert was a false positive, and the offending signature has been removed.
> 
> Thanks,
> 
> -Alain 
> 
> On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
> That's a hash signature. My guess is that there's 315 byte file inside the jar that was marked. The 2.4 version of fop has a 315 byte class file (PDFColorSpace.class) in it with a different MD5 hash. You might want to unpack the fop.jar and see if any of the files there match. Chances are some piece of malware included something similar that got included in the signature creation process.
> 
> [daily.hsb] 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73
> 
> 
> On Tue, Nov 12, 2019 at 10:12 AM Andy Keller <andykeller at decisionlens.com <mailto:andykeller at decisionlens.com>> wrote:
> Hi group – 
> 
>  
> 
> We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting for Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t been updated since March 2019 and I’m tempted to say this is a false positive (our Nessus server is also completely unreachable from the internet), but haven’t seen any traffic on this listserv and Google hasn’t helped much. Anybody have any similar hits?
> 
>  
> 
> -- 
> 
> Andy Keller
> Director, Information Security and Compliance | CISSP, CCSK, Security+ | Decision Lens
>  <http://www.decisionlens.com/>andykeller at decisionlens.com <mailto:andykeller at decisionlens.com>
> o: (703) 215-8282
> 
>  
> 
>  
> 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191112/e37c4462/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3907 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191112/e37c4462/attachment.bin>

More information about the clamav-users mailing list