On Wed, May 23, 2018 at 02:43 AM, Tilman Schmidt wrote:
We're getting frequent false positives from ClamAV forWin.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.Googling that virus name only turns up a few hits on virscan.org whichseem to be indicating a tendency of that signature to trigger onlogfiles and the like, but no actual information about the threat.
It's a relatively old signature as indicated by the fact it's in the main.cvd.
What is that signature trying to detect?
$ sigtool -fWin.Exploit.Unicode_Mixed-1
[main.ndb] Win.Exploit.Unicode_Mixed-1:0:*:6a5841514144415a41424152414c41594149415141494151414941684141415a3141494149414a31314149414941424142414251493141495149414951493131314149414a5159415a4241424142414241426b4d4147423975344a42
Is this a Known Problem?
Probably not since you are the first to report it here, after all this time.
Here's an example where 33 other scanners found one such file to be infected, which may give you a better idea of what the threat is: