Mailing List Archive

[clamav-users] recently noted that scanning firefox browser cache reports many errors
Hi all.

Just to better understand, I've recently noted that cache scanning of my
firefox browser reports many errors like this:

~/.cache/mozilla/firefox/<user-profile>/cache2/entries/19B6FB161440E34F1F5605202B22FE07BED5518D:
Can't parse data ERROR

I've checked and it's a regular file. But it's content isn't a plain
text file.

I'm almost sure not happened before...

Happened about report of empty files; about possible "pua", but never
this one.

Can You please explain me what's up?

Thanks a lot.

M.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi there,

On Thu, 8 Oct 2020, mum laris via clamav-users wrote:

> thanks for your quick answer.

Er, my answer is below. On a mailing list, check the subject lines. :)

> Attached required report.

On a quick glance I wonder why clamconf didn't find freshclam.conf.
Are you running freshclam? You might want to enable the 'encrypted'
alerts for archives etc. as encrypted douments which contain malware
seem to be much more common recently but it's mostly Windows malware.

Earlier On Thu, 8 Oct 2020, mum laris via clamav-users wrote:

> Just to better understand, I've recently noted that cache scanning
> of my firefox browser reports many errors like this:
> ...
> Can't parse data ERROR

This could be one of those cases where ClamAV leads you on a dance to
no purpose. You might get more information if you try scanning the
file with debugging and verbose logging enabled, but it's not certain
to give you an answer. Some of the error reporting in ClamAV could be
improved, it's an on-going development task but it will take time.

Most utilities are designed to handle just a few file types. Think of
a word processor for example, it might need to handle quite a few, but
there are many it won't handle at all. Because of what it's asked to
do, ClamAV needs to be able to handle more or less *anything*. And it
has to be able to handle them whether they're on disc, in mail, or as
a bare stream of data, *and* it's expecting whatever it scans also to
be a malicious example of the type. That's a tall order. There's a
long list of code modules which just process different file types for
the scanning engine to scan. It's a fair job of work just to maintain
them - to keep them in step with developments in the many and various
specifications and fix occasional faults in them. Look at the list
archives and you'll see a mention of that in the last couple of days.

Having said that there might not be any fault in ClamAV. Random data
can appear to a file classifier to be more or less any type of file.
It might just be that ClamAV is being unavoidably confused by a chunk
of random data which resembles something it isn't. The chances might
be small, but they're not zero. Browsers in particular have a habit
of storing huge numbers of files which most of us would have trouble
identifying. Much of the time the files are written speculatively to
local storage 'just in case' they might be used again, but never are.

It might even be a filesystem or system error, although I'm not sure
how likely that is without more information. I'd expect there to be
other indications of that sort of thing. What's the storage device?
Is it near its best-before date? Are you familiar with 'fsck'?

> I've checked and it's a regular file. But it's content isn't a plain
> text file.

It could be almost anything. You can use the 'file' utility for more
information. It might be a compressed file or something like that and
it might be broken. Anything as bloated and complex as the graphical
browsers of the 21st century is almost expected to leave broken files
lying around the filesystem when it trips over its own great big feet.

> I'm almost sure not happened before...

Maybe it's happening now because of an update to the browser version.
Maybe it's because you updated ClamAV or changed its configuration, or
changed something else. If it is just an odd log message now and then
I'd ignore it unless I had time on my hands to investigate. If it's a
lot more than that then it might tell you that something needs fixing,
but it would need some investigation. You could put some files on a
file sharing site and post a link here to see if anyone wants to take
up the challenge but if you do that, please make sure that you won't
be posting anything you want to keep private.

Some browsers will store gigabytes of junk for years. You can tell
them to delete the cache, or restrict the size of the cache, which
will at least mean it takes a lot less time to scan. You could tell
ClamAV not to scan it, but as it might be one of the more likely
places on the system to find threats, if you're concerned about them I
wouldn't want to go so far as that.

As long as your system - and particularly your browser - is kept up to
date with security patches, and you're sensible about where and what
you browse, and if the storage devices etc. are generally healthy, you
shouldn't need to worry too much. Most of the alerts from ClamAV will
either be false alarms, warnings about exceeding some limit or other,
or for Windows things to which a Linux box is immune. If ClamAV does
find something in the browser cache which is a threat to your browser,
it's probably already too late to stop it doing its nasty work.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi.

On 08/10/20 12:34, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
>
>> thanks for your quick answer.
>
> Er, my answer is below.  On a mailing list, check the subject lines. :)
>
So thanks twice!

>> Attached required report.
>
> On a quick glance I wonder why clamconf didn't find freshclam.conf.
> Are you running freshclam?
At least daily. but I understand your point, so may be I'd like to check
if "clam-tk" (or something like that), is available now between my repos.
> You might want to enable the 'encrypted'
> alerts for archives etc. as encrypted douments which contain malware
> seem to be much more common recently but it's mostly Windows malware.

That's the point. This is my roaming profile (I use firefox sync), so it
runs upon all my devices (android, Windows and Linux).

A good way to keep bookmarks, passwords and plugins synchronized.

And a way to carry malware from other platforms here too...

anyway, You are suggesting to? from manual I see:

--heuristic-alerts[=yes(*)/no]

so these kind of files haven't to be yet detected and managed autonously?

>
> Earlier On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
>
>> Just to better understand, I've recently noted that cache scanning
>> of my firefox browser reports many errors like this:
>> ...
>> Can't parse data ERROR
>
> This could be one of those cases where ClamAV leads you on a dance to
> no purpose.  You might get more information if you try scanning the
> file with debugging and verbose logging enabled, but it's not certain
> to give you an answer.  Some of the error reporting in ClamAV could be
> improved, it's an on-going development task but it will take time.
>
> [...]
>
> Having said that there might not be any fault in ClamAV.  Random data
> can appear to a file classifier to be more or less any type of file.
> It might just be that ClamAV is being unavoidably confused by a chunk
> of random data which resembles something it isn't.  The chances might
> be small, but they're not zero.  Browsers in particular have a habit
> of storing huge numbers of files which most of us would have trouble
> identifying.  Much of the time the files are written speculatively to
> local storage 'just in case' they might be used again, but never are.
>
> It might even be a filesystem or system error, although I'm not sure
> how likely that is without more information.  I'd expect there to be
> other indications of that sort of thing.  What's the storage device?
> Is it near its best-before date?  Are you familiar with 'fsck'?
>
ssd partition:

# fsck.ext4 -nv /dev/sdaX

e2fsck 1.43.8 (1-Jan-2018)
Warning!  /dev/sdaX is mounted.
Warning: skipping journal recovery because doing a read-only filesystem
check.

/dev/sdaX: clean, 545729/6553600 files, 21748990/26214400 blocks

moreover I have to say that after first checks and before write in this
mailing-list, I've completely cleared cache.

scans after this points were "clean" of errors.

after restarting using firefox, errors back!

>> I've checked and it's a regular file. But it's content isn't a plain
>> text file.
>
> It could be almost anything.  You can use the 'file' utility for more
> information.  It might be a compressed file or something like that and
> it might be broken.  Anything as bloated and complex as the graphical
> browsers of the 21st century is almost expected to leave broken files
> lying around the filesystem when it trips over its own great big feet.
>
file FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F: gzip compressed data, from Unix
>> I'm almost sure not happened before...
>
> Maybe it's happening now because of an update to the browser version.
> Maybe it's because you updated ClamAV or changed its configuration, or
> changed something else.  If it is just an odd log message now and then
> I'd ignore it unless I had time on my hands to investigate.  If it's a
> lot more than that then it might tell you that something needs fixing,
> but it would need some investigation.  You could put some files on a
> file sharing site and post a link here to see if anyone wants to take
> up the challenge but if you do that, please make sure that you won't
> be posting anything you want to keep private.
>
explained what's happened before, so please let me know if You think
further analysis' needed.


> Some browsers will store gigabytes of junk for years.  You can tell
> them to delete the cache, or restrict the size of the cache, which
> will at least mean it takes a lot less time to scan.  You could tell
> ClamAV not to scan it, but as it might be one of the more likely
> places on the system to find threats, if you're concerned about them I
> wouldn't want to go so far as that.
>
> As long as your system - and particularly your browser - is kept up to
> date with security patches, and you're sensible about where and what
> you browse, and if the storage devices etc. are generally healthy, you
> shouldn't need to worry too much.  Most of the alerts from ClamAV will
> either be false alarms, warnings about exceeding some limit or other,
> or for Windows things to which a Linux box is immune.  If ClamAV does
> find something in the browser cache which is a threat to your browser,
> it's probably already too late to stop it doing its nasty work.
>
So you're no more relaxing my thoughts...

cheers,

M.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi there,

On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
> G.W. Haywood wrote:
>> Are you running freshclam?
> At least daily. but I understand your point, so may be I'd like to check if
> "clam-tk" (or something like that), is available ...

Not necessary. A freshclam.conf is pretty straightforward, just put
one in the same directory as your clamd.conf, edit to taste, and start
the freshclam daemon. It will then automatically update your database
periodically. To start it I just have a line in /etc/rc.local e.g.:

/usr/local/bin/freshclam -d --config-file=/etc/mail/clamav/freshclam.conf

People do all sorts of fancy things with sysvinit or systemd. Up to you.

> ... my roaming profile ... all my devices (android, Windows and Linux).

Ah, so you're vulnerable to *everything*! :/

> anyway, You are suggesting to? from manual I see:
>
> --heuristic-alerts[=yes(*)/no]
>
> so these kind of files haven't to be yet detected and managed autonously?

Not at all what I meant. In the distribution, these default to 'yes':

8<----------------------------------------------------------------------
$ grep '#Alert' /usr/local/etc/clamd.conf.sample
#AlertBrokenExecutables yes
#AlertEncrypted yes
#AlertEncryptedArchive yes
#AlertEncryptedDoc yes
#AlertOLE2Macros yes
#AlertPhishingSSLMismatch yes
#AlertPhishingCloak yes
#AlertPartitionIntersection yes
#AlertExceedsMax yes
8<----------------------------------------------------------------------

but in your clamconf output I see this:

8<----------------------------------------------------------------------
$ grep Alert clamconf
AlertExceedsMax disabled
HeuristicAlerts = "yes"
AlertBrokenExecutables disabled
AlertEncrypted disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
8<----------------------------------------------------------------------

You might want to know about some of those things rather than have
clamd potentially ignore them, especially if you have Windoze boxes.

> /dev/sdaX: clean, 545729/6553600 files, 21748990/26214400 blocks

OK. I hope the SSD is backed up regularly to some other medium.

> file FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
> FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F: gzip compressed data, from Unix
> ...
> ... please let me know if You think further analysis' needed.

Well it's a compressed file, you could try testing it using gzip.
Check the gzip man page for how to do that. If it tests out OK then
you could extract the contents (gunzip) and see if it's anything you
can make sense of. If not a little more digging might be needed.

> So you're no more relaxing my thoughts...

That's good. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi!

On 08/10/20 19:31, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
> [...]

> Not at all what I meant.  In the distribution, these default to 'yes':
>
> 8<----------------------------------------------------------------------
> $ grep '#Alert' /usr/local/etc/clamd.conf.sample
> #AlertBrokenExecutables yes
> #AlertEncrypted yes
> #AlertEncryptedArchive yes
> #AlertEncryptedDoc yes
> #AlertOLE2Macros yes
> #AlertPhishingSSLMismatch yes
> #AlertPhishingCloak yes
> #AlertPartitionIntersection yes
> #AlertExceedsMax yes
> 8<----------------------------------------------------------------------
>
> but in your clamconf output I see this:
>
> 8<----------------------------------------------------------------------
> $ grep Alert clamconf
> AlertExceedsMax disabled
> HeuristicAlerts = "yes"
> AlertBrokenExecutables disabled
> AlertEncrypted disabled
> AlertEncryptedArchive disabled
> AlertEncryptedDoc disabled
> AlertOLE2Macros disabled
> AlertPhishingSSLMismatch disabled
> AlertPhishingCloak disabled
> AlertPartitionIntersection disabled
> 8<----------------------------------------------------------------------
>
> You might want to know about some of those things rather than have
> clamd potentially ignore them, especially if you have Windoze boxes.

Trying new features enabled ... I'll let You know!

>
>> /dev/sdaX: clean, 545729/6553600 files, 21748990/26214400 blocks
>
> OK.  I hope the SSD is backed up regularly to some other medium.
twice in a year... no more! :)
>
>> file FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
>> FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F: gzip compressed data, from
>> Unix
>> ...
>> ... please let me know if You think further analysis' needed.
>
> Well it's a compressed file, you could try testing it using gzip.
> Check the gzip man page for how to do that.  If it tests out OK then
> you could extract the contents (gunzip) and see if it's anything you
> can make sense of.  If not a little more digging might be needed.
>
from size ... may be a youtube cached file as You supposed from starting?

If answer is yes I doubt to be able to rebuild it... :)

> gzip -vtl FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F

method  crc     date  time           compressed        uncompressed
ratio uncompressed_name
defla 00310064 Oct  6 18:52              435807          1383269888
100.0% FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F

>> So you're no more relaxing my thoughts...
>
> That's good. :)
>
Thanks anyway!

:)


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hello again,

On Fri, 9 Oct 2020, mum laris via clamav-users wrote:

> gzip -vtl FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
>
> method crc date time compressed uncompressed ...
> defla 00310064 Oct 6 18:52 435807 1383269888 ...

A 1.4Gbyte file compressed down to 436kbytes? Seems unlikely.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi.

On 10/10/20 01:01, G.W. Haywood via clamav-users wrote:
> Hello again,
>
> On Fri, 9 Oct 2020, mum laris via clamav-users wrote:
>
>> gzip -vtl FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
>>
>> method  crc    date  time compressed uncompressed ...
>> defla 00310064 Oct 6 18:52    435807   1383269888 ...
>
> A 1.4Gbyte file compressed down to 436kbytes?  Seems unlikely.
>
That's why I've decided to inspect it before erasing...

Following what I found.

Starting with gzip:

> gzip -vt FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F:
gzip: FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F: decompression OK,
trailing garbage ignored
 OK


Suspect... extracting with 7zip:

> 7z e FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F -o/tmp/

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 [...]

Scanning the drive for archives:
1 file, 435807 bytes (426 KiB)

Extracting archive: FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
--
Path = FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
Type = gzip
Headers Size = 10

ERROR: There are some data after the end of the payload data :
FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F~

Sub items Errors: 1

Archives with Errors: 1

Sub items Errors: 1


Then:

> file /tmp/FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F~
/tmp/FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F~: UTF-8 Unicode text, with
very long lines


So parsing it, I can see 168 raws, beginning with:

(function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var
c="function"==typeof require&&require;if(!f&&c)return
c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module
'"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var
p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var
n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return
n[i].exports}for(var u="function"==typeof
require&&require,i=0;i<t.length;i++)o(t[i]);return o}return
r})()({1:[function(require,module,exports){
[...]


And at the end of file:

//# sourceMappingURL=bundle.js.map


How can a js be cached in this way?

Thanks,

M.



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi there,

On Sat, 10 Oct 2020, mum laris via clamav-users wrote:
> On 10/10/20 01:01, G.W. Haywood via clamav-users wrote:
>> gzip -vt FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
> FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F:
> gzip: ... decompression OK, trailing garbage ignored

Trailing garbage doesn't necessarily malicious content, it could be as
simple as a carelessly coded utility which didn't do something (e.g.
terminate) correctly, but I agree with you that it's suspicious.

Do the timestamps (for example) on these files tell you anything about
where they might have come from?

> So parsing it ...
>
> (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i])...
> And at the end of file:
>
> //# sourceMappingURL=bundle.js.map
>
>
> How can a js be cached in this way?

I know nothing about caching scripts (and almost nothing about caching
anything else) in Firefox, but I imagine that most browsers will cache
scripts in more or less the same way that they'll cache anything else.
It's all just data which would otherwise have to be transferred again.

Why not submit the file to one of the sites which will scan for
malware with multiple scanning engines, e.g. Jotti or Virustotal?

https://virusscan.jotti.org/
https://www.virustotal.com/gui/

Have you tried pasting the md5sum of the file(s) into a search engine?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Exactly, which is why I consider cache scanning to be a total waste of time. Most of what will be found is just adware and if it caused any issues, that would already have taken place. Cache files are just history files and perfectly harmless by themselves.

Sent from my iPad

-Al-
ClamXAV User

> On Oct 10, 2020, at 06:15, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> I imagine that most browsers will cache
> scripts in more or less the same way that they'll cache anything else.
> It's all just data which would otherwise have to be transferred again.
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi there,

On Sat, 10 Oct 2020, Al Varnell via clamav-users wrote:

> Exactly, which is why I consider cache scanning to be a total waste
> of time. Most of what will be found is just adware and if it caused
> any issues, that would already have taken place. Cache files are
> just history files and perfectly harmless by themselves.

I mostly agree with you, but the OP did say that he uses (I think at
least) Android, Linux and Windows which could mean that a threat to a
Windows device might be caught on a Linux box before it has a chance
to reach any of the Windows devices. Emphasis on 'might', of course.

The use case is similar to those who run Websites which permit file-
sharing etc. If they didn't take any precautions, they could become
(at the risk of being a little topical) super-spreaders.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi.

On 10/10/20 15:15, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Sat, 10 Oct 2020, mum laris via clamav-users wrote:
>> On 10/10/20 01:01, G.W. Haywood via clamav-users wrote:
>>> gzip -vt FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
>> FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F:
>> gzip: ... decompression OK, trailing garbage ignored
>
> Trailing garbage doesn't necessarily malicious content, it could be as
> simple as a carelessly coded utility which didn't do something (e.g.
> terminate) correctly, but I agree with you that it's suspicious.
>
> Do the timestamps (for example) on these files tell you anything about
> where they might have come from?
>
only streaming video I see are youtube or netflix; if not related to any
of these ones...
>> So parsing it ...
>>
>> (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i])...
>> And at the end of file:
>>
>> //# sourceMappingURL=bundle.js.map
>>
>>
>> How can a js be cached in this way?
>
> I know nothing about caching scripts (and almost nothing about caching
> anything else) in Firefox, but I imagine that most browsers will cache
> scripts in more or less the same way that they'll cache anything else.
> It's all just data which would otherwise have to be transferred again.
>
> Why not submit the file to one of the sites which will scan for
> malware with multiple scanning engines, e.g. Jotti or Virustotal?
>
> https://virusscan.jotti.org/
> https://www.virustotal.com/gui/
>
Jotti doesn't work in my firefox profile

Viruscan says no detected engine... (safe)

> Have you tried pasting the md5sum of the file(s) into a search engine?
>
Yeah, no result...

Thanks,

M.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors [ In reply to ]
Hi again,

running in another profile (don't ask me why), also Jotti says no
malware detected.

Thanks,

M.


On 11/10/20 13:07, mum laris via clamav-users wrote:
> Hi.
>
> On 10/10/20 15:15, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Sat, 10 Oct 2020, mum laris via clamav-users wrote:
>>> On 10/10/20 01:01, G.W. Haywood via clamav-users wrote:
>>>> gzip -vt FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
>>> FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F:
>>> gzip: ... decompression OK, trailing garbage ignored
>>
>> Trailing garbage doesn't necessarily malicious content, it could be as
>> simple as a carelessly coded utility which didn't do something (e.g.
>> terminate) correctly, but I agree with you that it's suspicious.
>>
>> Do the timestamps (for example) on these files tell you anything about
>> where they might have come from?
>>
> only streaming video I see are youtube or netflix; if not related to
> any of these ones...
>>> So parsing it ...
>>>
>>> (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i])...
>>> And at the end of file:
>>>
>>> //# sourceMappingURL=bundle.js.map
>>>
>>>
>>> How can a js be cached in this way?
>>
>> I know nothing about caching scripts (and almost nothing about caching
>> anything else) in Firefox, but I imagine that most browsers will cache
>> scripts in more or less the same way that they'll cache anything else.
>> It's all just data which would otherwise have to be transferred again.
>>
>> Why not submit the file to one of the sites which will scan for
>> malware with multiple scanning engines, e.g. Jotti or Virustotal?
>>
>> https://virusscan.jotti.org/
>> https://www.virustotal.com/gui/
>>
> Jotti doesn't work in my firefox profile
>
> Viruscan says no detected engine... (safe)
>
>> Have you tried pasting the md5sum of the file(s) into a search engine?
>>
> Yeah, no result...
>
> Thanks,
>
> M.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml