Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
since clamav version 1.2.0, false/positive pihole links?
clamav-users at lists
Aug 31, 2023, 1:29 AM
Post #1 of 4 (197 views)
Permalink
Dear clamav Teams,


we are using some Debian 12 servers with PiHole Systems:


OS: Debian GNU/Linux 12 (bookworm) aarch64
Host: Raspberry Pi 4 Model B Rev 1.4
Kernel: 6.1.21-v8+
Uptime: 4 hours
Packages: 2830 (dpkg), 14 (snap)
Shell: zsh 5.9
Resolution: 2560x1440
Terminal: /dev/pts/0
CPU: BCM2835 (4) @ 2.000GHz
Memory: 1754MiB / 7811MiB

and since we installed the new clamav 1.2.0 (from source an the rasapi)
or from the deb file on the other Debian servers with PiHole with amd64,
we see now these alerts:


/etc/pihole/list.74.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL FOUND
/etc/pihole/list.22.v.firebog.net.domains: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL FOUND
/etc/pihole/list.83.v.firebog.net.domains: YARA.davivienda.UNOFFICIAL FOUND
/etc/pihole/list.65.raw.githubusercontent.com.domains: YARA.hacked_domains.UNOFFICIAL FOUND
/etc/pihole/list.120.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.52.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.25.v.firebog.net.domains: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL FOUND
/etc/pihole/list.6.gitlab.com.domains: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL FOUND
/etc/pihole/list.50.phishing.army.domains: YARA.davivienda.UNOFFICIAL FOUND
/etc/pihole/list.153.phishing.army.domains: YARA.davivienda.UNOFFICIAL FOUND
/etc/pihole/list.130.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.161.v.firebog.net.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.53.zerodot1.gitlab.io.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.57.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL FOUND
/etc/pihole/list.63.raw.githubusercontent.com.domains: YARA.hacked_domains.UNOFFICIAL FOUND
/etc/pihole/list.18.zerodot1.gitlab.io.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.54.zerodot1.gitlab.io.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL FOUND
/etc/pihole/list.11.www.github.developerdan.com.domains: YARA.davivienda.UNOFFICIAL FOUND
/etc/pihole/list.64.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.malware.js.lobbydesires.com.879.UNOFFICIAL FOUND
/etc/pihole/list.29.raw.githubusercontent.com.domains: sigs.InterServer.net.HEX.Topline.blacklisted.domain.bingstyle.com.640.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8862874
Engine version: 1.2.0
Scanned directories: 717
Scanned files: 3060
Infected files: 20
Data scanned: 262.51 MB
Data read: 2517.20 MB (ratio 0.10:1)
Time: 595.687 sec (9 m 55 s)
Start Date: 2023:08:31 04:00:55
End Date: 2023:08:31 04:10:50

As we read in some chats, UNOFFICIAL could mean false/positive. So should we add those pihole lists to the clamav whitelist?

Kindly Regards,

Norman

Attached Files:

Re: since clamav version 1.2.0, false/positive pihole links? [ In reply to ]
clamav-users at lists
Aug 31, 2023, 1:32 AM
Post #2 of 4 (197 views)
Permalink
..additional, also these were found now by the version 1.2.0
(whitelisting?):



----------- SCAN SUMMARY -----------
Known viruses: 8862874
Engine version: 1.2.0
Scanned directories: 91
Scanned files: 416
Infected files: 0
Data scanned: 84.71 MB
Data read: 39.88 MB (ratio 2.12:1)
Time: 78.263 sec (1 m 18 s)
Start Date: 2023:08:31 05:09:59
End Date:   2023:08:31 05:11:17
/usr/lib/firefox-esr/browser/omni.ja:
Sanesecurity.Foxhole.Zip_fs186.UNOFFICIAL FOUND
/usr/lib/firefox-esr/browser/features/webcompat@mozilla.org.xpi:
Sanesecurity.Foxhole.JS_Zip_19.UNOFFICIAL FOUND
/usr/lib/firefox-esr/browser/features/pictureinpicture@mozilla.org.xpi:
Sanesecurity.Foxhole.Zip_fs676.UNOFFICIAL FOUND
/usr/lib/firefox-esr/browser/features/screenshots@mozilla.org.xpi:
Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
/usr/lib/firefox-esr/browser/features/webcompat-reporter@mozilla.org.xpi:
Sanesecurity.Foxhole.JS_Zip_2.UNOFFICIAL FOUND
/usr/lib/firefox-esr/browser/features/formautofill@mozilla.org.xpi:
Sanesecurity.Foxhole.JS_Zip_2.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8862874
Engine version: 1.2.0
Scanned directories: 9612
Scanned files: 63391
Infected files: 6
Data scanned: 6235.05 MB
Data read: 5839.86 MB (ratio 1.07:1)
Time: 3740.979 sec (62 m 20 s)
Start Date: 2023:08:31 05:11:21
End Date:   2023:08:31 06:13:42

Am 31.08.2023 um 10:29 schrieb energynorman@gmail.com:
> Dear clamav Teams,
>
>
> we are using some Debian 12 servers with PiHole Systems:
>
>
> OS: Debian GNU/Linux 12 (bookworm) aarch64
> Host: Raspberry Pi 4 Model B Rev 1.4
> Kernel: 6.1.21-v8+
> Uptime: 4 hours
> Packages: 2830 (dpkg), 14 (snap)
> Shell: zsh 5.9
> Resolution: 2560x1440
> Terminal: /dev/pts/0
> CPU: BCM2835 (4) @ 2.000GHz
> Memory: 1754MiB / 7811MiB
>
> and since we installed the new clamav 1.2.0 (from source an the
> rasapi) or from the deb file on the other Debian servers with PiHole
> with amd64, we see now these alerts:
>
>
> /etc/pihole/list.74.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.22.v.firebog.net.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.83.v.firebog.net.domains: YARA.davivienda.UNOFFICIAL
> FOUND
> /etc/pihole/list.65.raw.githubusercontent.com.domains:
> YARA.hacked_domains.UNOFFICIAL FOUND
> /etc/pihole/list.120.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.52.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.25.v.firebog.net.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.6.gitlab.com.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.50.phishing.army.domains: YARA.davivienda.UNOFFICIAL
> FOUND
> /etc/pihole/list.153.phishing.army.domains: YARA.davivienda.UNOFFICIAL
> FOUND
> /etc/pihole/list.130.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.161.v.firebog.net.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.53.zerodot1.gitlab.io.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.57.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.63.raw.githubusercontent.com.domains:
> YARA.hacked_domains.UNOFFICIAL FOUND
> /etc/pihole/list.18.zerodot1.gitlab.io.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.54.zerodot1.gitlab.io.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.alemoney.xyz.610.UNOFFICIAL
> FOUND
> /etc/pihole/list.11.www.github.developerdan.com.domains:
> YARA.davivienda.UNOFFICIAL FOUND
> /etc/pihole/list.64.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.malware.js.lobbydesires.com.879.UNOFFICIAL
> FOUND
> /etc/pihole/list.29.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.blacklisted.domain.bingstyle.com.640.UNOFFICIAL
> FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8862874
> Engine version: 1.2.0
> Scanned directories: 717
> Scanned files: 3060
> Infected files: 20
> Data scanned: 262.51 MB
> Data read: 2517.20 MB (ratio 0.10:1)
> Time: 595.687 sec (9 m 55 s)
> Start Date: 2023:08:31 04:00:55
> End Date:   2023:08:31 04:10:50
>
> As we read in some chats, UNOFFICIAL could mean false/positive. So
> should we add those pihole lists to the clamav whitelist?
>
> Kindly Regards,
>
> Norman
>

Attached Files:

Re: since clamav version 1.2.0, false/positive pihole links? [ In reply to ]
clamav-users at lists
Aug 31, 2023, 2:34 AM
Post #3 of 4 (197 views)
Permalink
On 31 August 2023 09:33:24 energynorman--- via clamav-users
<clamav-users@lists.clamav.net> wrote:

> ..additional, also these were found now by the version 1.2.0
> (whitelisting?):
>
>
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8862874
> Engine version: 1.2.0
> Scanned directories: 91
> Scanned files: 416
> Infected files: 0
> Data scanned: 84.71 MB
> Data read: 39.88 MB (ratio 2.12:1)
> Time: 78.263 sec (1 m 18 s)
> Start Date: 2023:08:31 05:09:59
> End Date: 2023:08:31 05:11:17


> /usr/lib/firefox-esr/browser/omni.ja:
> Sanesecurity.Foxhole.Zip_fs186.UNOFFICIAL FOUND

Hi.

Sanesecurity signatures are produced by me.

The foxhole signatures are really only for incoming mail.

You can either create a list of signatures to ignore when scanning, in an
ign2 database...

Eg. Create a text file Ignore.ign2

Make the first line

> Sanesecurity.Foxhole.Zip_fs186

Put the ignore.ign2 file in the ClamAV database folder and reload ClamAV.

If you want to remove the foxhole sigs completely... Look for foxhole*.* in
the ClamAV database folder or remove from your download script.

Foxhole sigs are really good for lots of reasons... but in your case you
might need to fine tune your setup.

Hope this helps.


Cheers,

Steve
www.sanesecurity.com
Twitter: @sanesecurity
Re: since clamav version 1.2.0, false/positive pihole links? [ In reply to ]
clamav-users at lists
Aug 31, 2023, 2:39 AM
Post #4 of 4 (197 views)
Permalink
On 31 August 2023 09:30:46 energynorman--- via clamav-users
<clamav-users@lists.clamav.net> wrote:

> Dear clamav Teams,
>
>
> we are using some Debian 12 servers with PiHole Systems:
>
>
> OS: Debian GNU/Linux 12 (bookworm) aarch64
> Host: Raspberry Pi 4 Model B Rev 1.4
> Kernel: 6.1.21-v8+
> Uptime: 4 hours
> Packages: 2830 (dpkg), 14 (snap)
> Shell: zsh 5.9
> Resolution: 2560x1440
> Terminal: /dev/pts/0
> CPU: BCM2835 (4) @ 2.000GHz
> Memory: 1754MiB / 7811MiB
>
> and since we installed the new clamav 1.2.0 (from source an the rasapi)
> or from the deb file on the other Debian servers with PiHole with amd64,
> we see now these alerts:
>
>
> /etc/pihole/list.74.raw.githubusercontent.com.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.22.v.firebog.net.domains:
> sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL
> FOUND
> /etc/pihole/list.83.v.firebog.net.domains: YARA.davivienda.UNOFFICIAL FOUND

The above signatures while 3rd party are produced by me.

There must be downloaded from a script... So worth checking configuration
for pihole or other download scripts.


Cheers,

Steve
Sanesecurity.com
Twitter: @sanesecurity

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal