[clamav-users] false positives for firefox add-ons?
Christian
abelschreck3 at freenet.de
Sat Jun 25 12:40:36 UTC 2022
Hello altogether, :-)
perhaps there´s someone here who can help me with a curious phenomenon.
Every now and then I scan the directory where all the firefox-related
files reside.
This is my command:
clamscan -i -r
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
Until now I always received a message that no viruses or malicious files
were found.
Yesterday however (for the first time) I got this (haven´t changed
anything since the last scan):
/ clamscan -i -r
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/addon at darkreader.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/https-everywhere at eff.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/uMatrix at raymondhill.net.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/addon at darkreader.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/https-everywhere at eff.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/uMatrix at raymondhill.net.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
/----------- SCAN SUMMARY -----------/
/Known viruses: 8619741/
/Engine version: 0.103.6/
/Scanned directories: 3315/
/Scanned files: 10867/
/Infected files: 7/
/Data scanned: 632.66 MB/
/Data read: 489.69 MB (ratio 1.29:1)/
/Time: 320.348 sec (5 m 20 s)/
/Start Date: 2022:06:24 16:36:42/
/End Date: 2022:06:24 16:42:02/
Taking a closer look at the results it seems that some extensions for
firefox were suddenly regarded as a virus of some sort.
They all feature the .xpi extension:
/
//.rw-r--r-- 609k rosika rosika 27 Mai 13:31 addon at darkreader.org.xpi//
//.rw------- 1,8M rosika rosika 14 Jul 2021 https-everywhere at eff.org.xpi//
//.rw------- 1,5M rosika rosika 20 Jul 2021 uMatrix at raymondhill.net.xpi//
//.rw-r--r-- 916k rosika rosika 30 Mai 14:44
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi/
Out of curiosity I submitted them to virustotal and got this:
1.) addon at darkreader.org.xpi:
1 security vendor and no sandboxes flagged this file as malicious (but
only 1 out of 58; perhaps a false positive there as well)
2.) https-everywhere at eff.org.xpi:
No security vendors and no sandboxes flagged this file as malicious (0 / 58)
3.) uMatrix at raymondhill.net.xpi:
No security vendors and no sandboxes flagged this file as malicious (0 / 58)
4.) {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
No security vendors and no sandboxes flagged this file as malicious (0 / 57)
Any ideas why clamscan suddenly marked these files as a virus? It seems
they´re not (according to virustotal).
Thanks a lot in advance for your help.
Many greetings from Rosika :-)
P.S.:
my system: Linux Lubuntu 20.04.4 LTS, 64 bit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220625/09650e42/attachment.htm>
More information about the clamav-users
mailing list