On 5/23/2018 4:43 AM, Tilman Schmidt wrote:

We're getting frequent false positives from ClamAV for
Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
Googling that virus name only turns up a few hits on virscan.org which
seem to be indicating a tendency of that signature to trigger on
logfiles and the like, but no actual information about the threat.

What is that signature trying to detect?
Is this a Known Problem?
What's the best way handle it?

This signature looks for a string of binary characters.

It's not generally useful to run clamscan on pseudo-random data such
as a tcpdumps, logfiles, raw disk images, etc. False positives can
be expected from signatures that look for strings of binary characters.

You can tell clam to ignore this particular signature by adding the
name to a text file named local.ign2 (or any name ending in .ign2)
in the same directory where the clam databases live.

# local.ign2
Win.Exploit.Unicode_Mixed-1

However, I wouldn't be surprised if the dump starts hitting some
other binary signature if you ignore this one.

I think the best way to handle this is "don't scan pseudo-random files"



 -- Noel Jones