That's a hash signature. My guess is that there's 315 byte file inside the jar that was marked. The 2.4 version of fop has a 315 byte class file (PDFColorSpace.class) in it with a different MD5 hash. You might want to unpack the fop.jar and see if any of the files there match. Chances are some piece of malware included something similar that got included in the signature creation process.

[daily.hsb] 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73

On Tue, Nov 12, 2019 at 10:12 AM Andy Keller <andykeller@decisionlens.com> wrote:

Hi group –

We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting for Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t been updated since March 2019 and I’m tempted to say this is a false positive (our Nessus server is also completely unreachable from the internet), but haven’t seen any traffic on this listserv and Google hasn’t helped much. Anybody have any similar hits?

--

Andy Keller
Director, Information Security and Compliance | CISSP, CCSK, Security+ | Decision Lens
andykeller@decisionlens.com

o: (703) 215-8282

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml