Albrecht, Peter
2018-07-31 08:53:00 UTC
Hello,
Since Saturday (2018-07-28) we are seeing many reports from clamscan having
found (possibly) infected files. I suspect these are false positives because checking
the files on virustotal.com returns only clamav reporting them as infected.
The reported files are mostly jar files used by our applications (e.g. httpclient-*.jar,
httpcore-*.jar in different versions). These are the signatures which produce most
of the reports:
Html.Malware.Agent-6625161-0
Html.Malware.Agent-6625163-0
Html.Malware.Agent-6625207-0
Html.Malware.Agent-6625208-0
Html.Malware.Agent-6625209-0
Html.Malware.Agent-6625345-0
Currently, we have whitelisted the above signatures. I suspect that it is an error
in the database because that's the only thing that has changed since Friday. We
are using clamav 0.99.4 and 0.100.0 on Linux with a daily update of the virus
signatures.
I have uploaded the file which generated the most reports yesterday to clamav.net
and requested doublechecking if that would be a false positive.
Does anybody else see such a behaviour? Any ideas of what might be the reason?
Any suggestions what to do? Whitelisting all reported signatures would not be our
preferred solution ...
Thanks a lot,
Peter Albrecht
Senior Linux Administrator
Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com
________________________________________________________________________________________________________
Amtsgericht München HRB Nummer 238 150
Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever.
Thank you for your cooperation.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Since Saturday (2018-07-28) we are seeing many reports from clamscan having
found (possibly) infected files. I suspect these are false positives because checking
the files on virustotal.com returns only clamav reporting them as infected.
The reported files are mostly jar files used by our applications (e.g. httpclient-*.jar,
httpcore-*.jar in different versions). These are the signatures which produce most
of the reports:
Html.Malware.Agent-6625161-0
Html.Malware.Agent-6625163-0
Html.Malware.Agent-6625207-0
Html.Malware.Agent-6625208-0
Html.Malware.Agent-6625209-0
Html.Malware.Agent-6625345-0
Currently, we have whitelisted the above signatures. I suspect that it is an error
in the database because that's the only thing that has changed since Friday. We
are using clamav 0.99.4 and 0.100.0 on Linux with a daily update of the virus
signatures.
I have uploaded the file which generated the most reports yesterday to clamav.net
and requested doublechecking if that would be a false positive.
Does anybody else see such a behaviour? Any ideas of what might be the reason?
Any suggestions what to do? Whitelisting all reported signatures would not be our
preferred solution ...
Thanks a lot,
Peter Albrecht
Senior Linux Administrator
Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com
________________________________________________________________________________________________________
Amtsgericht München HRB Nummer 238 150
Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever.
Thank you for your cooperation.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml