Mailing List Archive

On 2020-02-18 13:58, Brian Fluet wrote:
> File libclamunrar.dll from ClamAV 0.102.2 win x86 portable is being
> quarantined by Sunbelt Vipre Enterprise as Trojan.GenericKD.42582612.
>
> The first detection was at 5:44 PM EST on Friday Feb 14.
>
> Microsoft is the only product that flags it as infected on VirusTotal
> as Trojan:Win32/Detplock.
>
> I submitted the file as a false positive to Sunbelt yesterday but
> have not heard back.
>
> I apologize if this ends up being a duplicate post. I attempted one
> yesterday that has not appeared in the archives.
>

SHA-256
8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c

Other AV's are also flagging... but maybe the same FP signature:

https://www.virustotal.com/gui/file/8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c/detection


--
Cheers,

Steve
Sanesecurity

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks for the heads up Brian!

We've reached out to Microsoft to attempt to address the issue. I will also reach out to the UnRAR developer to make sure he is aware. Even if Microsoft changes their detection, I suspect the others will continue to alert and we may want to reach out to some of the other companies to correct the FP.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



?On 2/18/20, 9:18 AM, "clamav-users on behalf of Steve Basford" <clamav-users-bounces@lists.clamav.net on behalf of steveb_clamav@sanesecurity.com> wrote:

On 2020-02-18 13:58, Brian Fluet wrote:
> File libclamunrar.dll from ClamAV 0.102.2 win x86 portable is being
> quarantined by Sunbelt Vipre Enterprise as Trojan.GenericKD.42582612.
>
> The first detection was at 5:44 PM EST on Friday Feb 14.
>
> Microsoft is the only product that flags it as infected on VirusTotal
> as Trojan:Win32/Detplock.
>
> I submitted the file as a false positive to Sunbelt yesterday but
> have not heard back.
>
> I apologize if this ends up being a duplicate post. I attempted one
> yesterday that has not appeared in the archives.
>

SHA-256
8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c

Other AV's are also flagging... but maybe the same FP signature:

https://www.virustotal.com/gui/file/8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c/detection


--
Cheers,

Steve
Sanesecurity

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 18 Feb 2020 at 15:16, Steve Basford wrote:

>
> Other AV's are also flagging... but maybe the same FP signature:
>
> https://www.virustotal.com/gui/file/8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c/detection

This report is very different from the one produced yesterday
morning. It is surprising that Microsoft isn't in this list at all
and Vipre, which wasn't in yesterdays list, flags it as undetected
even though detection is still occurring based on a test I made
minutes ago.

--
Brian

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Interesting indeed.
I received a response a few moments ago regarding the FP report I submitted. The detection was dropped. Hopefully the others will also switch to undetected as well.

-Micah

?On 2/18/20, 3:01 PM, "clamav-users on behalf of Brian Fluet" <clamav-users-bounces@lists.clamav.net on behalf of bf4pmail@gmx.com> wrote:

On 18 Feb 2020 at 15:16, Steve Basford wrote:

>
> Other AV's are also flagging... but maybe the same FP signature:
>
> https://www.virustotal.com/gui/file/8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c/detection

This report is very different from the one produced yesterday
morning. It is surprising that Microsoft isn't in this list at all
and Vipre, which wasn't in yesterdays list, flags it as undetected
even though detection is still occurring based on a test I made
minutes ago.

--
Brian

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I received a response from Vipre a short time ago stating that they
have fixed this FP. A test with the current def confirms that.

--
Brian


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml