On Jun 25, 2022, at 5:40 AM, Christian <abelschreck3@freenet.de> wrote:Hello altogether, :-)_______________________________________________
perhaps there´s someone here who can help me with a curious phenomenon.
Every now and then I scan the directory where all the firefox-related files reside.
This is my command:
clamscan -i -r /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
Until now I always received a message that no viruses or malicious files were found.
Yesterday however (for the first time) I got this (haven´t changed anything since the last scan):
clamscan -i -r /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/addon@darkreader.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi: Archive.Test.Agent2-9953724-0 FOUND
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/https-everywhere@eff.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/uMatrix@raymondhill.net.xpi: Archive.Test.Agent2-9953724-0 FOUND
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/addon@darkreader.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/https-everywhere@eff.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/uMatrix@raymondhill.net.xpi: Archive.Test.Agent2-9953724-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8619741
Engine version: 0.103.6
Scanned directories: 3315
Scanned files: 10867
Infected files: 7
Data scanned: 632.66 MB
Data read: 489.69 MB (ratio 1.29:1)
Time: 320.348 sec (5 m 20 s)
Start Date: 2022:06:24 16:36:42
End Date: 2022:06:24 16:42:02
Taking a closer look at the results it seems that some extensions for firefox were suddenly regarded as a virus of some sort.
They all feature the .xpi extension:
.rw-r--r-- 609k rosika rosika 27 Mai 13:31 addon@darkreader.org.xpi
.rw------- 1,8M rosika rosika 14 Jul 2021 https-everywhere@eff.org.xpi
.rw------- 1,5M rosika rosika 20 Jul 2021 uMatrix@raymondhill.net.xpi
.rw-r--r-- 916k rosika rosika 30 Mai 14:44 {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Out of curiosity I submitted them to virustotal and got this:
1.) addon@darkreader.org.xpi:1 security vendor and no sandboxes flagged this file as malicious (but only 1 out of 58; perhaps a false positive there as well)
2.) https-everywhere@eff.org.xpi:
No security vendors and no sandboxes flagged this file as malicious (0 / 58)
3.) uMatrix@raymondhill.net.xpi:
No security vendors and no sandboxes flagged this file as malicious (0 / 58)
4.) {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
No security vendors and no sandboxes flagged this file as malicious (0 / 57)
Any ideas why clamscan suddenly marked these files as a virus? It seems they´re not (according to virustotal).
Thanks a lot in advance for your help.
Many greetings from Rosika :-)
P.S.:
my system: Linux Lubuntu 20.04.4 LTS, 64 bit
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
