Mailing List Archive

Clamav found in php files Archive.Test.Agent2-9953724-0
Hello

I don't understand why, but it appends this morning on already existed
files (in the wp-cli cache folder) :

Start Date: 2022:06:24 12:15:01
End Date:   2022:06:24 12:15:17
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.2-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.9-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.1-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.3-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.1-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.2-fr_FR.zip:
Archive.Test.Agent2-9953724-0 FOUND

I could not find on the web some discussions about
"Archive.Test.Agent2-9953724-0" except this one
https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html

Thanks for help :-)

Cyrille37.
Re: Clamav found in php files Archive.Test.Agent2-9953724-0 [ In reply to ]
Hi there,

On Fri, 24 Jun 2022, Cyrille37 wrote:

> I don't understand why, but it appends this morning on already existed files
> (in the wp-cli cache folder) :
>
> Start Date: 2022:06:24 12:15:01
> End Date:   2022:06:24 12:15:17
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> ...
> I could not find on the web some discussions about
> "Archive.Test.Agent2-9953724-0" except this one
> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html

The signature is mentioned in this morning's automated email from the
ClamAV signatures database update process.

I suspect that you're seeing a false positive, that's always a risk
with new or updated signatures.

Perhaps you can upload one of the flagged files to e.g. Jotti's Virus
Scan or VirusTotal to see what a few other scanners make of it.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Clamav found in php files Archive.Test.Agent2-9953724-0 [ In reply to ]
This is a new signature that was added today. It's rather complicated and,
with the "Test" in the name, I'm not sure it's meant to be published. We'll
have to wait to hear from the ClamAV folks on that matter, but you can
submit it as a false positive (for those Wordpress zips) using the False
positive report page: https://www.clamav.net/reports/fp


On Fri, Jun 24, 2022 at 8:49 AM Cyrille37 <cyrille.clamav-users@giquello.fr>
wrote:

> Hello
>
> I don't understand why, but it appends this morning on already existed
> files (in the wp-cli cache folder) :
>
> Start Date: 2022:06:24 12:15:01
> End Date: 2022:06:24 12:15:17
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.2-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.1-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.3-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.1-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.2-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
>
> I could not find on the web some discussions about
> "Archive.Test.Agent2-9953724-0" except this one
>
> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html
>
> Thanks for help :-)
>
> Cyrille37.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: Clamav found in php files Archive.Test.Agent2-9953724-0 [ In reply to ]
Thanks all for your answers

I've submitted the false positive.

Regards & cheers
Cyrille37.

On 24/06/2022 15:19, Maarten Broekman via clamav-users wrote:
> This is a new signature that was added today. It's rather complicated
> and, with the "Test" in the name, I'm not sure it's meant to be
> published. We'll have to wait to hear from the ClamAV folks on that
> matter, but you can submit it as a false positive (for those Wordpress
> zips) using the False positive report page:
> https://www.clamav.net/reports/fp
>
>
> On Fri, Jun 24, 2022 at 8:49 AM Cyrille37
> <cyrille.clamav-users@giquello.fr> wrote:
>
> Hello
>
> I don't understand why, but it appends this morning on already
> existed files (in the wp-cli cache folder) :
>
> Start Date: 2022:06:24 12:15:01
> End Date:   2022:06:24 12:15:17
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.2-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.1-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.3-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.1-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
> /home/caf37-pt/.wp-cli/cache/core/wordpress-5.9.2-fr_FR.zip:
> Archive.Test.Agent2-9953724-0 FOUND
>
> I could not find on the web some discussions about
> "Archive.Test.Agent2-9953724-0" except this one
> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html
>
> Thanks for help :-)
>
> Cyrille37.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

--

Cyrille Giquello - 06 32 33 02 18 -cyrille@giquello.fr - FR37 Tours

(¯`·._.·[ Coopérateur @ Artefacts -https://artefacts.coop ]·._.·´¯)
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¸¸,ø¤º°`°º¤ø¸¸,ø¤º°`°º¤ø

Pour améliorer l'impact climatique du numérique adoptez quelques-unes
des 72 bonnes pratiqueshttps://checklists.opquast.com/fr/greenit

Pour toute question relative au bon usage et à la rectification
de vos données à caractère personnel n'hésitez pas à me contacter.
Re: Clamav found in php files Archive.Test.Agent2-9953724-0 [ In reply to ]
It's 100% a bad signature and should get removed.

I just checked the current version of the akismet plugin (
https://wordpress.org/plugins/akismet/) from WordPress and it is detected
by this signature but by nothing else:
https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
https://www.virustotal.com/gui/file/8ae9cc337449fd0daa82e3f1c329689ecc4de8905244f97e401be6fe3af33704

A month ago, this file wasn't detected by anything.

I came in to work to find almost 2000 hits from this signature on zip files
ranging from WordPress plugins to zipped up log directories.

--Maarten

On Fri, Jun 24, 2022 at 9:12 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 24 Jun 2022, Cyrille37 wrote:
>
> > I don't understand why, but it appends this morning on already existed
> files
> > (in the wp-cli cache folder) :
> >
> > Start Date: 2022:06:24 12:15:01
> > End Date: 2022:06:24 12:15:17
> > /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
> > Archive.Test.Agent2-9953724-0 FOUND
> > ...
> > I could not find on the web some discussions about
> > "Archive.Test.Agent2-9953724-0" except this one
> >
> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html
>
> The signature is mentioned in this morning's automated email from the
> ClamAV signatures database update process.
>
> I suspect that you're seeing a false positive, that's always a risk
> with new or updated signatures.
>
> Perhaps you can upload one of the flagged files to e.g. Jotti's Virus
> Scan or VirusTotal to see what a few other scanners make of it.
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: Clamav found in php files Archive.Test.Agent2-9953724-0 [ In reply to ]
This is a test signature that should have never made it through. We're
immediately dropping it and pushing out a new build.

On Fri, Jun 24, 2022 at 9:51 AM Maarten Broekman via clamav-users <
clamav-users@lists.clamav.net> wrote:

> It's 100% a bad signature and should get removed.
>
> I just checked the current version of the akismet plugin (
> https://wordpress.org/plugins/akismet/) from WordPress and it is detected
> by this signature but by nothing else:
> https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
>
> https://www.virustotal.com/gui/file/8ae9cc337449fd0daa82e3f1c329689ecc4de8905244f97e401be6fe3af33704
>
> A month ago, this file wasn't detected by anything.
>
> I came in to work to find almost 2000 hits from this signature on zip
> files ranging from WordPress plugins to zipped up log directories.
>
> --Maarten
>
> On Fri, Jun 24, 2022 at 9:12 AM G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Hi there,
>>
>> On Fri, 24 Jun 2022, Cyrille37 wrote:
>>
>> > I don't understand why, but it appends this morning on already existed
>> files
>> > (in the wp-cli cache folder) :
>> >
>> > Start Date: 2022:06:24 12:15:01
>> > End Date: 2022:06:24 12:15:17
>> > /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
>> > Archive.Test.Agent2-9953724-0 FOUND
>> > ...
>> > I could not find on the web some discussions about
>> > "Archive.Test.Agent2-9953724-0" except this one
>> >
>> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html
>>
>> The signature is mentioned in this morning's automated email from the
>> ClamAV signatures database update process.
>>
>> I suspect that you're seeing a false positive, that's always a risk
>> with new or updated signatures.
>>
>> Perhaps you can upload one of the flagged files to e.g. Jotti's Virus
>> Scan or VirusTotal to see what a few other scanners make of it.
>>
>> --
>>
>> 73,
>> Ged.
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
Re: Clamav found in php files Archive.Test.Agent2-9953724-0 [ In reply to ]
Build 26583 for daily.cvd is ready for use. We're also taking additional
steps and safety measures to ensure experimental signatures are not
eligible for additions to any published CVD.

On Fri, Jun 24, 2022 at 10:36 AM Christopher Marczewski <
cmarczewski@sourcefire.com> wrote:

> This is a test signature that should have never made it through. We're
> immediately dropping it and pushing out a new build.
>
> On Fri, Jun 24, 2022 at 9:51 AM Maarten Broekman via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> It's 100% a bad signature and should get removed.
>>
>> I just checked the current version of the akismet plugin (
>> https://wordpress.org/plugins/akismet/) from WordPress and it is
>> detected by this signature but by nothing else:
>> https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
>>
>> https://www.virustotal.com/gui/file/8ae9cc337449fd0daa82e3f1c329689ecc4de8905244f97e401be6fe3af33704
>>
>> A month ago, this file wasn't detected by anything.
>>
>> I came in to work to find almost 2000 hits from this signature on zip
>> files ranging from WordPress plugins to zipped up log directories.
>>
>> --Maarten
>>
>> On Fri, Jun 24, 2022 at 9:12 AM G.W. Haywood via clamav-users <
>> clamav-users@lists.clamav.net> wrote:
>>
>>> Hi there,
>>>
>>> On Fri, 24 Jun 2022, Cyrille37 wrote:
>>>
>>> > I don't understand why, but it appends this morning on already existed
>>> files
>>> > (in the wp-cli cache folder) :
>>> >
>>> > Start Date: 2022:06:24 12:15:01
>>> > End Date: 2022:06:24 12:15:17
>>> > /home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip:
>>> > Archive.Test.Agent2-9953724-0 FOUND
>>> > ...
>>> > I could not find on the web some discussions about
>>> > "Archive.Test.Agent2-9953724-0" except this one
>>> >
>>> https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html
>>>
>>> The signature is mentioned in this morning's automated email from the
>>> ClamAV signatures database update process.
>>>
>>> I suspect that you're seeing a false positive, that's always a risk
>>> with new or updated signatures.
>>>
>>> Perhaps you can upload one of the flagged files to e.g. Jotti's Virus
>>> Scan or VirusTotal to see what a few other scanners make of it.
>>>
>>> --
>>>
>>> 73,
>>> Ged.
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>
>
> --
> Christopher Marczewski
> Research Engineer, Talos
> Cisco Systems
> 443-832-2975
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975