Mailing List Archive

Brian,

It?s a straight text search for 6 strings.
Can?t send the decode because it will be caught in my outbound.

# sigtool ?find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool ?decode-sigs

Doesn?t seem extremely likely for a lot of false positives to me, but ymmv.
________________________________________________________________

From: clamav-users [mailto:clamav-users-bounces@lists.clamav.net] On Behalf
Of Brian Cole via clamav-users
Sent: Tuesday, August 27, 2019 11:01 AM
To: clamav-users@lists.clamav.net
Cc: Brian Cole
Subject: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0


Has anyone else seen a false positive from ClamAV, as a result of the August
24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was
added ?

Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
cleartext file on Linux, even though CoinMiner is an executable virus
attacking Windows.? The file causing the false positive is the
/var/log/sid_changes.log file, which is the text log file written by
PulledPork when it updates Snort IDS signatures. I would imagine anyone
running Snort, PulledPork and ClamAV on the same Linux machine would see
this false positive.

I submitted a false positive to ClamAV yesterday, but it may be that
whatever pattern that virus signature is looking for is too simplistic.

?Brian




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 27 Aug 2019, Brian Cole via clamav-users wrote:

> ... we are seeing ClamAV think that CoinMiner virus exists in
> ... /var/log/sid_changes.log ...

Would it not make more sense to exclude such files from your scans?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

The signature needs a little tweaking, and will be revised. Revision 0
(Txt.Coinminer.Generic-7132166-0) has been dropped and this will be
reflected in the next signature update.

- Alain

On Tue, Aug 27, 2019 at 11:25 AM Brian Cole via clamav-users <
clamav-users@lists.clamav.net> wrote:

>
>
> Has anyone else seen a false positive from ClamAV, as a result of the
> August 24 signature update when the signature
> Txt.Coinminer.Generic-7132166-0 was added ?
>
>
>
> Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
> cleartext file on Linux, even though CoinMiner is an executable virus
> attacking Windows. The file causing the false positive is the
> /var/log/sid_changes.log file, which is the text log file written by
> PulledPork when it updates Snort IDS signatures. I would imagine anyone
> running Snort, PulledPork and ClamAV on the same Linux machine would see
> this false positive.
>
>
>
> I submitted a false positive to ClamAV yesterday, but it may be that
> whatever pattern that virus signature is looking for is too simplistic.
>
>
>
> …Brian
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Alain and Eric, Thanks for those answers, that definitely seems to be the issue.

I ran the sigtool command you provided and it displayed the following information:

$ sigtool --find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool --decode-sigs
VIRUS NAME: Txt.Coinminer.Generic-7132166-0
TDB: Engine:81-255,Target:7
LOGICAL EXPRESSION: 0&1&2&3&4&5
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
miner
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
coinhive
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
keepalive
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
params
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
algo
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
pass
$

I then grepped for those 6 strings in my text file and sure enough they are all present in that one single file:

$ grep -i miner /var/log/sid_changes.log | wc
75 484 5299
$ grep -i coinhive /var/log/sid_changes.log | wc
12 82 824
$ grep -i keepalive /var/log/sid_changes.log | wc
10 60 658
$ grep -i params /var/log/sid_changes.log | wc
10 86 796
$ grep -i algo /var/log/sid_changes.log | wc
13 152 1302
$ grep -i pass /var/log/sid_changes.log | wc
1739 17000 151213
$

…Brian