Mailing List Archive

There are also reports on Reddit today of ClamAV finding this:
https://www.reddit.com/r/flatpak/comments/1byn8og/clamav_detecting_winvirusexpiro100265760_malware/?rdt=45424

One reply says:
I ran one of the files tagged as a virus by Clamav through VirusTotal.com;
out of 64 anti-virus utilities only Clamav tagged it as a virus. Can't
imagine this not being a false positive.

On Mon, 8 Apr 2024, Richard wrote:

> After updating to the latest virus signature files using
> freshclam, I am suddenly getting infected file reports
> that I never got before. I don't think the affected files have
> changed, at least the creation dates and size in bytes are
> still the same. How can I tell whether this is a real virus
> or malware, or if it is just a false positive? If I submit
> one of the files using clamsubmit, will it be analyzed to
> determine whether it is a false positive? I'm not sure if
> files submitted using clamsubmit are analyzed, or whether
> it is just assumed that they are false positives.
> I am using a Linux operating system that was built using
> linuxfromscratch.org.
> Here is a list of the files that clamscan reported:
>
> /usr/lib/python3.11/ensurepip/_bundled/pip-23.1.2-py3-none-any.whl:
> Win.Virus.Expiro-10026576-0 FOUND
> /usr/lib/python3.11/site-packages/pip/_vendor/distlib/t64-arm.exe:
> Win.Virus.Expiro-10026576-0 FOUND
> /usr/lib/python3.11/site-packages/pip/_vendor/distlib/t32.exe:
> Win.Virus.Expiro-10026576-0 FOUND
> /usr/lib/python3.11/site-packages/pip/_vendor/distlib/w64.exe:
> Win.Virus.Expiro-10026576-0 FOUND
> /usr/lib/python3.11/site-packages/pip/_vendor/distlib/t64.exe:
> Win.Virus.Expiro-10026576-0 FOUND
> /usr/lib/python3.11/site-packages/pip/_vendor/distlib/w64-arm.exe:
> Win.Virus.Expiro-10026576-0 FOUND
> /usr/lib/python3.11/site-packages/pip/_vendor/distlib/w32.exe:
> Win.Virus.Expiro-10026576-0 FOUND
>
> Richard

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On Mon, 8 Apr 2024 11:26:15 -0400
Richard <rkm@usol.com> wrote:

> After updating to the latest virus signature files using
> freshclam, I am suddenly getting infected file reports
> that I never got before.

Almost certainly yes. This seems to happen periodically, for those same
Python PIP exe files (which I really wish weren't even packaged
there...)

The signature it hit, Win.Virus.Expiro-10026576-0, was added yesterday
in signatures 27238:
https://lists.clamav.net/pipermail/clamav-virusdb/2024-April/008622.html

I expect (and hope) that signature will be removed again shortly.

Historic examples of false positives on those same damned files which
have troubled me, for reference:

signatures version 26922 on 2023-05-30, added a pattern for
Win.Virus.Memery-10002766-0 which hit that distlib/t32.exe file:
https://www.mail-archive.com/clamav-users@lists.clamav.net/msg52715.html

... and was soon dropped in the next version.

Before that, signatures version 26438 on 2022-01-30 added a pattern for
Win.Malware.Generic-9937882-0 which again hit those files e.g.
distlib/w32.exe:
https://lists.clamav.net/pipermail/clamav-virusdb/2022-January/007823.html


> How can I tell whether this is a real virus
> or malware, or if it is just a false positive?

You could drop the MD5 hash of the files into e.g. VirusTotal to see if
any other virus checkers report a hit for them,

A cute one-liner I use for this is:

md5sum /usr/lib/python*/site-packages/pip/_vendor/distlib/*.exe \
| cut -d ' ' -f1 \
| xargs -I% echo "https://www.virustotal.com/gui/search/%"



> If I submit
> one of the files using clamsubmit, will it be analyzed to
> determine whether it is a false positive? I'm not sure if
> files submitted using clamsubmit are analyzed, or whether
> it is just assumed that they are false positives.

I believe it essentially acts as a handy front end for submitting them
via the website e.g. https://www.clamav.net/reports/fp so the same
things that apply to submissions via the site apply to submissions via
clamsubmit - notably, from this documentation:
https://docs.clamav.net/#submitting-new-or-otherwise-undetected-malware

"Q: Who analyzes malware and false positive file uploads?
A: Given the volume of submissions, the vast majority of files are
handled by automation."


Cheers

Dave P


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

I love cute one-liners. Many of these pip files have been flagged by clamav a couple times this year but within a couple days a definition file will be released that removes the false positives. I guess we will have to get used to submitting them.


Hong-Duc Vu
Phone: 240-592-3072?Email:?hong-duc.vu@jhuapl.edu



-----Original Message-----
From: David Precious <davidp@preshweb.co.uk>
Sent: Monday, April 8, 2024 12:19 PM
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] False positive?

On Mon, 8 Apr 2024 11:26:15 -0400
Richard <rkm@usol.com> wrote:

> After updating to the latest virus signature files using freshclam, I
> am suddenly getting infected file reports that I never got before.

Almost certainly yes. This seems to happen periodically, for those same Python PIP exe files (which I really wish weren't even packaged
there...)

The signature it hit, Win.Virus.Expiro-10026576-0, was added yesterday in signatures 27238:
https://lists.clamav.net/pipermail/clamav-virusdb/2024-April/008622.html

I expect (and hope) that signature will be removed again shortly.

Historic examples of false positives on those same damned files which have troubled me, for reference:

signatures version 26922 on 2023-05-30, added a pattern for
Win.Virus.Memery-10002766-0 which hit that distlib/t32.exe file:
https://www.mail-archive.com/clamav-users@lists.clamav.net/msg52715.html

... and was soon dropped in the next version.

Before that, signatures version 26438 on 2022-01-30 added a pattern for
Win.Malware.Generic-9937882-0 which again hit those files e.g.
distlib/w32.exe:
https://lists.clamav.net/pipermail/clamav-virusdb/2022-January/007823.html


> How can I tell whether this is a real virus or malware, or if it is
> just a false positive?

You could drop the MD5 hash of the files into e.g. VirusTotal to see if any other virus checkers report a hit for them,

A cute one-liner I use for this is:

md5sum /usr/lib/python*/site-packages/pip/_vendor/distlib/*.exe \
| cut -d ' ' -f1 \
| xargs -I% echo "https://www.virustotal.com/gui/search/%"



> If I submit
> one of the files using clamsubmit, will it be analyzed to determine
> whether it is a false positive? I'm not sure if files submitted using
> clamsubmit are analyzed, or whether it is just assumed that they are
> false positives.

I believe it essentially acts as a handy front end for submitting them via the website e.g. https://www.clamav.net/reports/fp so the same things that apply to submissions via the site apply to submissions via clamsubmit - notably, from this documentation:
https://docs.clamav.net/#submitting-new-or-otherwise-undetected-malware

"Q: Who analyzes malware and false positive file uploads?
A: Given the volume of submissions, the vast majority of files are handled by automation."


Cheers

Dave P



_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat