[clamav-users] CVE_2021_4034-9951522 false positives on node executables
G.W. Haywood
clamav at jubileegroup.co.uk
Mon Aug 1 10:20:57 UTC 2022
Hi there,
On Mon, 1 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
> about a month ago I reported a possible false positive on nodejs
> executables and related files [1]. After checking with Jotti’s Virus
> Scan and Virustotal, I also (twice) submitted the files to the
> ClamAV website as false positives [2].
>
> I haven’t received a notification after the false positive
> submissions and, meanwhile, newer versions of nodejs are still
> reported as being infected.
>
> What else can I do to verify that this is indeed a false positive?
>
> Best,
> Viktor
>
> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
> [2] https://www.clamav.net/reports/fp
If this is indeed a false positive, given the popularity of node.js
I'm a little surprised that you're still seeing ClamAV hits as I'd
have expected the ClamAV signature team to be onto it fairly promptly.
The signature database has the facility to whitelist falsely flagged
files using a digest. These are propagated with the 'daily' updates.
Are you sure that your signature database is up to date? What version
of 'daily' do you have?
If you can post an example file somewhere for me to download I can
take a look at it. (Alternatively post a link to where you got the
file, AND the MD5 digest of the file that ClamAV is flagging so that
we all know that we're looking at the same thing.)
Micah, may we have an authoritative opinion on the use of the virusdb
mailing list to report things like this? I feel sure that a while ago
in one of your messages to this list you gave an email alternative to
the Web form for FP submissions. If indeed such a message exists (and
I haven't found it) I can't remember what that alternative might be.
--
73,
Ged.
More information about the clamav-users
mailing list