Has anyone else seen a false positive from ClamAV, as a result of the August 24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was added ?
Specifically, we are seeing ClamAV think that CoinMiner virus exists in a cleartext file on Linux, even though CoinMiner is an executable virus attacking Windows. The file causing the false positive is the /var/log/sid_changes.log file, which is the text log file written by PulledPork when it updates Snort IDS signatures. I would imagine anyone running Snort, PulledPork and ClamAV on the same Linux machine would see this false positive.
I submitted a false positive to ClamAV yesterday, but it may be that whatever pattern that virus signature is looking for is too simplistic.
...Brian
Specifically, we are seeing ClamAV think that CoinMiner virus exists in a cleartext file on Linux, even though CoinMiner is an executable virus attacking Windows. The file causing the false positive is the /var/log/sid_changes.log file, which is the text log file written by PulledPork when it updates Snort IDS signatures. I would imagine anyone running Snort, PulledPork and ClamAV on the same Linux machine would see this false positive.
I submitted a false positive to ClamAV yesterday, but it may be that whatever pattern that virus signature is looking for is too simplistic.
...Brian