[clamav-users] Clamav found in php files Archive.Test.Agent2-9953724-0

Christopher Marczewski cmarczewski at sourcefire.com
Fri Jun 24 18:01:23 UTC 2022 

Build 26583 for daily.cvd is ready for use. We're also taking additional
steps and safety measures to ensure experimental signatures are not
eligible for additions to any published CVD.

On Fri, Jun 24, 2022 at 10:36 AM Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> This is a test signature that should have never made it through. We're
> immediately dropping it and pushing out a new build.
>
> On Fri, Jun 24, 2022 at 9:51 AM Maarten Broekman via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>
>> It's 100% a bad signature and should get removed.
>>
>> I just checked the current version of the akismet plugin (
>> https://wordpress.org/plugins/akismet/) from WordPress and it is
>> detected by this signature but by nothing else:
>> https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
>>
>> https://www.virustotal.com/gui/file/8ae9cc337449fd0daa82e3f1c329689ecc4de8905244f97e401be6fe3af33704
>>
>> A month ago, this file wasn't detected by anything.
>>
>> I came in to work to find almost 2000 hits from this signature on zip
>> files ranging from WordPress plugins to zipped up log directories.
>>
>> --Maarten
>>
>> On Fri, Jun 24, 2022 at 9:12 AM G.W. Haywood via clamav-users <
>> clamav-users at lists.clamav.net> wrote:
>>
>>> Hi there,
>>>
>>> On Fri, 24 Jun 2022, Cyrille37 wrote:
>>>
>>> > I don't understand why, but it appends this morning on already existed
>>> files
>>> > (in the wp-cli cache folder) :
>>> >
>>> > Start Date: 2022:06:24 12:15:01
>>> > End Date:   2022:06:24 12:15:17
>>> > /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
>>> > Archive.Test.Agent2-9953724-0 FOUND
>>> > ...
>>> > I could not find on the web some discussions about
>>> > "Archive.Test.Agent2-9953724-0" except this one
>>> >
>>> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html
>>>
>>> The signature is mentioned in this morning's automated email from the
>>> ClamAV signatures database update process.
>>>
>>> I suspect that you're seeing a false positive, that's always a risk
>>> with new or updated signatures.
>>>
>>> Perhaps you can upload one of the flagged files to e.g. Jotti's Virus
>>> Scan or VirusTotal to see what a few other scanners make of it.
>>>
>>> --
>>>
>>> 73,
>>> Ged.
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>
>
> --
> Christopher Marczewski
> Research Engineer, Talos
> Cisco Systems
> 443-832-2975
>


-- 
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220624/237782b4/attachment.htm>

More information about the clamav-users mailing list