Mailing List Archive

It's been in the database for many years, so doubt that it's invalid, but could still be an FP in your specific case. The signature looks like this:

VIRUS NAME: Html.Trojan.Exploit-112
TARGET TYPE: HTML
OFFSET: *
bc f3 e3 f2 e9 f0 f4
[.I padded the hex string with spaces to prevent this e-mail from being detected].

ClamAV doesn't publish detailed information most of it's signatures. Only the original signature writer might have it in his notes and I doubt he still works for them. Each vendor uses it's own unique name for signatures, so it's no wonder you weren't able to find anything, although I did find this from Dec 2017 which appears to believe it might be a False Positive from a Time Machine backup: <https://forum.qnapclub.de/thread/45902-virenfund-timemachinebackup-wie-finde-ich-die-dateien-auf-dem-macbook/>.

You should upload that file to <https://www.virustotal.com> to help make your case.

Then it should be uploaded to <http://www.clamav.net/reports/fp> so that it get's to the ClamAV signature team for resolution.

You may get faster results if you post the link to VirusTotal results and a hash value for the file back here, to make it easier for all to help resolve it.

-Al-

> On Mar 4, 2019, at 00:24, Henrik Hoeg Thomsen1 via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Our Clamav scan just reported this signature to be forund in one of my syslogarchives.
>
> Html.Trojan.Exploit-112 FOUND
>
> My best guess is that it is false-positive, as this filesystem is totally isolated from any interactive user access.
>
> But where can i find the details behind this alert ?
>
> Google has no match on this.

Henrik,

The reference file that we have for that signature appears to
contain CVE-2006-3227.

If you can share the file then use the FP reporting option <
http://www.clamav.net/reports/fp> to have the signature reassessed.

Thank you.

On Mon, Mar 4, 2019 at 3:57 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> It's been in the database for many years, so doubt that it's invalid, but
> could still be an FP in your specific case. The signature looks like this:
>
> VIRUS NAME: Html.Trojan.Exploit-112
> TARGET TYPE: HTML
> OFFSET: *
> bc f3 e3 f2 e9 f0 f4
> [.I padded the hex string with spaces to prevent this e-mail from being
> detected].
>
> ClamAV doesn't publish detailed information most of it's signatures. Only
> the original signature writer might have it in his notes and I doubt he
> still works for them. Each vendor uses it's own unique name for signatures,
> so it's no wonder you weren't able to find anything, although I did find
> this from Dec 2017 which appears to believe it might be a False Positive
> from a Time Machine backup: <
> https://forum.qnapclub.de/thread/45902-virenfund-timemachinebackup-wie-finde-ich-die-dateien-auf-dem-macbook/
> >.
>
> You should upload that file to <https://www.virustotal.com> to help make
> your case.
>
> Then it should be uploaded to <http://www.clamav.net/reports/fp> so that
> it get's to the ClamAV signature team for resolution.
>
> You may get faster results if you post the link to VirusTotal results and
> a hash value for the file back here, to make it easier for all to help
> resolve it.
>
> -Al-
>
> > On Mar 4, 2019, at 00:24, Henrik Hoeg Thomsen1 via clamav-users <
> clamav-users@lists.clamav.net> wrote:
> >
> > Our Clamav scan just reported this signature to be forund in one of my
> syslogarchives.
> >
> > Html.Trojan.Exploit-112 FOUND
> >
> > My best guess is that it is false-positive, as this filesystem is
> totally isolated from any interactive user access.
> >
> > But where can i find the details behind this alert ?
> >
> > Google has no match on this.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--

Matthew Molyett
Malware Researcher

mmolyett@cisco.com