The offending signature was previously posted, along with it's location in the daily.hdb section of the daily.cld/.cvd signature database:

[daily.hsb] 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73

You should see that it is dropped in the next daily update around eight hours from now.

-Al-

On Nov 12, 2019, at 14:05, Christina Qian <christina.qian@ayasdi.com> wrote:

Hi Alain,

Thank you very much for your quick response. May I ask what's the offending signature, where it located, and how was it removed? Thanks. 

Christina Qian


On Tue, Nov 12, 2019 at 1:22 PM Alain Zidouemba <azidouemba@sourcefire.com> wrote:
The alert was a false positive, and the offending signature has been removed.

Thanks,

-Alain 

On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users <clamav-users@lists.clamav.net> wrote:
That's a hash signature. My guess is that there's 315 byte file inside the jar that was marked. The 2.4 version of fop has a 315 byte class file (PDFColorSpace.class) in it with a different MD5 hash. You might want to unpack the fop.jar and see if any of the files there match. Chances are some piece of malware included something similar that got included in the signature creation process.

[daily.hsb] 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73


On Tue, Nov 12, 2019 at 10:12 AM Andy Keller <andykeller@decisionlens.com> wrote:

Hi group – 

 

We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting for Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t been updated since March 2019 and I’m tempted to say this is a false positive (our Nessus server is also completely unreachable from the internet), but haven’t seen any traffic on this listserv and Google hasn’t helped much. Anybody have any similar hits?

 

-- 

Andy Keller
Director, Information Security and Compliance | CISSP, CCSK, Security+ | Decision Lens
andykeller@decisionlens.com

o: (703) 215-8282

 

 


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml