[clamav-users] false positives for firefox add-ons?

Al Varnell alvarnell at mac.com
Sat Jun 25 12:48:24 UTC 2022 

This was a false positive as discussed much earlier today on this very same list. It was corrected by a signature update over seven hours ago. Simply run freshclam and your curiosity will be history.

-Al-

> On Jun 25, 2022, at 5:40 AM, Christian <abelschreck3 at freenet.de> wrote:
> 
> Hello altogether, :-)
> 
> 
> perhaps there´s someone here who can help me with a curious phenomenon.
> 
> Every now and then I scan the directory where all the firefox-related files reside.
> This is my command:
> 
> 
> clamscan -i -r /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2 
> 
> Until now I always received a message that no viruses or malicious files were found.
> Yesterday however (for the first time) I got this (haven´t changed anything since the last scan):
> 
> 
> 
>  clamscan -i -r /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
> 
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/addon at darkreader.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/https-everywhere at eff.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/uMatrix at raymondhill.net.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/addon at darkreader.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/https-everywhere at eff.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/uMatrix at raymondhill.net.xpi: Archive.Test.Agent2-9953724-0 FOUND
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 8619741
> Engine version: 0.103.6
> Scanned directories: 3315
> Scanned files: 10867
> Infected files: 7
> Data scanned: 632.66 MB
> Data read: 489.69 MB (ratio 1.29:1)
> Time: 320.348 sec (5 m 20 s)
> Start Date: 2022:06:24 16:36:42
> End Date:   2022:06:24 16:42:02
> 
> 
> Taking a closer look at the results it seems that some extensions for firefox were suddenly regarded as a virus of some sort.
> They all feature the .xpi extension:
> 
> 
> .rw-r--r-- 609k rosika rosika 27 Mai 13:31 addon at darkreader.org.xpi <mailto:addon at darkreader.org.xpi>
> .rw------- 1,8M rosika rosika 14 Jul  2021 https-everywhere at eff.org.xpi <mailto:https-everywhere at eff.org.xpi>
> .rw------- 1,5M rosika rosika 20 Jul  2021 uMatrix at raymondhill.net.xpi <mailto:uMatrix at raymondhill.net.xpi>
> .rw-r--r-- 916k rosika rosika 30 Mai 14:44 {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
> 
> Out of curiosity I submitted them to virustotal and got this:
> 
> 1.) addon at darkreader.org.xpi: <>
> 1 security vendor and no sandboxes flagged this file as malicious (but only 1 out of 58; perhaps a false positive there as well)
> 
> 
> 2.) https-everywhere at eff.org.xpi <mailto:https-everywhere at eff.org.xpi>:
> 
> No security vendors and no sandboxes flagged this file as malicious (0 / 58)
> 
> 
> 
> 
> 3.) uMatrix at raymondhill.net.xpi <mailto:uMatrix at raymondhill.net.xpi>:
> 
> No security vendors and no sandboxes flagged this file as malicious (0 / 58)
> 
> 
> 
> 
> 4.) {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
> 
> No security vendors and no sandboxes flagged this file as malicious (0 / 57)
> 
> 
> 
> 
> Any ideas why  clamscan suddenly marked these files as a virus? It seems they´re not (according to virustotal).
> 
> Thanks a lot in advance for your help.
> 
> Many greetings from Rosika  :-)
> 
> 
> 
> 
> 
> P.S.:
> 
> my system: Linux Lubuntu 20.04.4 LTS, 64 bit
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


         
Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220625/b7e5ba81/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220625/b7e5ba81/attachment.bin>

More information about the clamav-users mailing list