[clamav-users] Lots of FP: Unix.Trojan.Mirai-5932143-0

demonduck demonduck at sourcefire.com
Wed Feb 5 13:49:35 UTC 2020 

The offending signature will be dropped in the next daily.cvd and revised.
Until then, I'd suggest adding it to your local ignore database (.ign2).
See https://www.clamav.net/documents/whitelist-databases for
more information.

Thanks,
demonduck


On Wed, Feb 5, 2020 at 8:16 AM Mikael Bak <mikael.bak at techteamer.com> wrote:

> Hi list,
>
> Seem to me that the signature for this virus have to be reworked
> somehow. It is throwing lots of FP on Linux developer workstations.
>
> Here's the output from last nights scan:
>
> /snap/code/23/usr/share/code/code: Unix.Trojan.Mirai-5932143-0 FOUND
> /snap/spotify/36/usr/share/spotify/libcef.so: Unix.Trojan.Mirai-5932143-0
> FOUND
> /snap/bitwarden/21/bitwarden: Unix.Trojan.Mirai-5932143-0 FOUND
> /snap/slack/21/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND
> /opt/google/chrome-beta/chrome: Unix.Trojan.Mirai-5932143-0 FOUND
> /opt/google/chrome/chrome: Unix.Trojan.Mirai-5932143-0 FOUND
>
> Microsoft Visual Code (snap version)
> Spotify (snap version)
> Bitwarden (snap version)
> Slack (snap version)
> Google Chrome stable and beta from Google repository.
>
> I unpacked the daily database and searched for this virs and found
> this in daily.ldb:
>
> Unix.Trojan.Mirai-5932143-0;Engine:51-255,Target:6;0&1&(2>1)&(3>1);75726c3d;2f63646e2d6367692f;504f5354;7761746368646f67
>
> I opened up one of the "infected" files in a hexeditor and searched
> for the above patterns. Here are the clear text of what this signature
> searches for to trigger alert:
>
> url=
> /cdn-cgi/
> POST
> watchdog
>
> Personally I think it's unreasonable to trigger virus alert just
> because you can find the above strings in a binary. I think this rule
> should be deleted until it's fixed.
>
> Best regards,
> Mikael Bak
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200205/f604e175/attachment.htm>

More information about the clamav-users mailing list