Hi Al,
Thank you very much for your reply. I just realized that I was on the wrong
thread though. I meant to ask the reason for the alarms below, or at least
to confirm it's a false alarm, so I can just exclude the files. Do you or
anybody on the list has information on this? Thanks.
Christina
---------- Forwarded message ----------
From: Christina Qian <christina.qian@ayasdi.com>
To: clamav-users@lists.clamav.net
Cc:
Bcc:
Date: Tue, 12 Nov 2019 10:57:27 -0800
Subject: ClamAV false positive
Hi,
We have installed ClamAV on our EC2 hosts. This weekend it started to send
alerts below. Since as far as I know, these tls1.h files were already on
the system for one or two years and no malware alert was ever sent for
them, I wonder whether there is any change on the ClamAV side which causes
it. For example, if YARA.php_malware_hexinject.UNOFFICIAL FOUND rule was
newly added to the rfxn.yara file, etc?
Since I did not keep the old yara file, I couldn't tell. Also, how the yara
file or other files were updated and what's common practise checking
whether the alert is solid or false and how to handle false alerts? Thanks.
/folder_name/jupyter/miniconda2/include/openssl/tls1.h:
YARA.php_malware_hexinject.UNOFFICIAL FOUND
/folder_name/jupyter/miniconda2/pkgs/openssl-1.0.2k-1/include/openssl/tls1.h:
YARA.php_malware_hexinject.UNOFFICIAL FOUND
/folder_name/anaconda2/pkgs/openssl-1.0.2k-1/include/openssl/tls1.h:
YARA.php_malware_hexinject.UNOFFICIAL FOUND
Christina Qian
Christina Qian
On Tue, Nov 12, 2019 at 5:14 PM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> The offending signature was previously posted, along with it's location in
> the daily.hdb section of the daily.cld/.cvd signature database:
>
> [daily.hsb]
> 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73
>
> You should see that it is dropped in the next daily update around eight
> hours from now.
>
> -Al-
>
> On Nov 12, 2019, at 14:05, Christina Qian <christina.qian@ayasdi.com>
> wrote:
>
> Hi Alain,
>
> Thank you very much for your quick response. May I ask what's the
> offending signature, where it located, and how was it removed? Thanks.
>
> Christina Qian
>
>
> On Tue, Nov 12, 2019 at 1:22 PM Alain Zidouemba <azidouemba@sourcefire.com>
> wrote:
>
>> The alert was a false positive, and the offending signature has been
>> removed.
>>
>> Thanks,
>>
>> -Alain
>>
>> On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users <
>> clamav-users@lists.clamav.net> wrote:
>>
>>> That's a hash signature. My guess is that there's 315 byte file inside
>>> the jar that was marked. The 2.4 version of fop has a 315 byte class file
>>> (PDFColorSpace.class) in it with a different MD5 hash. You might want to
>>> unpack the fop.jar and see if any of the files there match. Chances are
>>> some piece of malware included something similar that got included in the
>>> signature creation process.
>>>
>>> [daily.hsb]
>>> 94d13091a15154471ed3832f3c072567:315:Html.Malware.Agent-7380889-0:73
>>>
>>>
>>> On Tue, Nov 12, 2019 at 10:12 AM Andy Keller <
>>> andykeller@decisionlens.com> wrote:
>>>
>>>> Hi group –
>>>>
>>>>
>>>>
>>>> We’ve had a file (/opt/nessus/var/nessus/report-engine/fop.jar) hitting
>>>> for Html.Malware.Agent-7380889-0 since yesterday. This Apache file hasn’t
>>>> been updated since March 2019 and I’m tempted to say this is a false
>>>> positive (our Nessus server is also completely unreachable from the
>>>> internet), but haven’t seen any traffic on this listserv and Google hasn’t
>>>> helped much. Anybody have any similar hits?
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> *Andy Keller*Director, Information Security and Compliance | CISSP,
>>>> CCSK, Security+ | Decision Lens
>>>> <http://www.decisionlens.com/>andykeller@decisionlens.com
>>>>
>>>> o: (703) 215-8282
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>>
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
