It helps the signature team locate those submitted files faster if you post their hash values here.

-Al-

On Tue, Jul 31, 2018 at 01:53 AM, Albrecht, Peter wrote:
Hello,

Since Saturday (2018-07-28) we are seeing many reports from clamscan having
found (possibly) infected files. I suspect these are false positives because checking
the files on virustotal.com returns only clamav reporting them as infected.

The reported files are mostly jar files used by our applications (e.g. httpclient-*.jar,
httpcore-*.jar in different versions). These are the signatures which produce most
of the reports:

Html.Malware.Agent-6625161-0
Html.Malware.Agent-6625163-0
Html.Malware.Agent-6625207-0
Html.Malware.Agent-6625208-0
Html.Malware.Agent-6625209-0
Html.Malware.Agent-6625345-0

Currently, we have whitelisted the above signatures. I suspect that it is an error
in the database because that's the only thing that has changed since Friday. We
are using clamav 0.99.4 and 0.100.0 on Linux with a daily update of the virus
signatures.

I have uploaded the file which generated the most reports yesterday to clamav.net
and requested doublechecking if that would be a false positive.

Does anybody else see such a behaviour? Any ideas of what might be the reason?
Any suggestions what to do? Whitelisting all reported signatures would not be our
preferred solution ...

Thanks a lot,

Peter Albrecht
Senior Linux Administrator 

Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com
________________________________________________________________________________________________________

Amtsgericht München HRB Nummer 238 150

Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou

VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder 
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!

CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are 
not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither 
use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever. 
Thank you for your cooperation.

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA