The signature needs a little tweaking, and will be revised. Revision 0 (Txt.Coinminer.Generic-7132166-0) has been dropped and this will be reflected in the next  signature update.

- Alain

On Tue, Aug 27, 2019 at 11:25 AM Brian Cole via clamav-users <clamav-users@lists.clamav.net> wrote:

 

Has anyone else seen a false positive from ClamAV, as a result of the August 24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was added ?

 

Specifically, we are seeing ClamAV think that CoinMiner virus exists in a cleartext file on Linux, even though CoinMiner is an executable virus attacking Windows.  The file causing the false positive is the /var/log/sid_changes.log file, which is the text log file written by PulledPork when it updates Snort IDS signatures. I would imagine anyone running Snort, PulledPork and ClamAV on the same Linux machine would see this false positive.

 

I submitted a false positive to ClamAV yesterday, but it may be that whatever pattern that virus signature is looking for is too simplistic.

 

…Brian

 


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml