Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] KACE false positive
dstinnet at vcu
Jun 11, 2021, 7:42 AM
Post #1 of 5 (440 views)
Permalink
It has been over a year since there was a wide false positive across ClamAV.
"/Library/Application Support/Quest/KACE/bin/klog"
"Unix.Malware.Macos-9867919-0 FOUND"

I do not recall how to address this. Any suggestions would be great.
Thanks,
Doug
--


Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
Re: [clamav-users] KACE false positive [ In reply to ]
azidouemba at sourcefire
Jun 11, 2021, 8:05 AM
Post #2 of 5 (440 views)
Permalink
Thanks for reporting. Will be addressed in the next CVD update.

-Alain

On Fri, Jun 11, 2021 at 10:44 AM Douglas Stinnette <dstinnet@vcu.edu> wrote:

>
> It has been over a year since there was a wide false positive across
> ClamAV.
> "/Library/Application Support/Quest/KACE/bin/klog"
> "Unix.Malware.Macos-9867919-0 FOUND"
>
> I do not recall how to address this. Any suggestions would be great.
> Thanks,
> Doug
> --
>
>
> Douglas Stinnette
>
> VCU Technology Services
>
> Endpoint Security Specialist
>
> Virginia Commonwealth University
>
> 827-0933
>
>
>
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, Social
> Security number or confidential personal information. For more details
> visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] KACE false positive [ In reply to ]
clamav-users at lists
Jun 11, 2021, 8:07 AM
Post #3 of 5 (440 views)
Permalink
Douglas,

Thank you for your email. Here is a good place to file false positives: https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp> for future reference.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | https://www.clamav.net

> On Jun 11, 2021, at 10:42 AM, Douglas Stinnette <dstinnet@vcu.edu> wrote:
>
>
> It has been over a year since there was a wide false positive across ClamAV.
> "/Library/Application Support/Quest/KACE/bin/klog"
> "Unix.Malware.Macos-9867919-0 FOUND"
>
> I do not recall how to address this. Any suggestions would be great.
> Thanks,
> Doug
> --
>
> Douglas Stinnette
> VCU Technology Services
> Endpoint Security Specialist
> Virginia Commonwealth University
> 827-0933
>
> Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, Social Security number or confidential personal information. For more details visit http://go.vcu.edu/phishing <http://go.vcu.edu/phishing> or http://phishing.vcu.edu <http://phishing.vcu.edu/>.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Attached Files:

Re: [clamav-users] KACE false positive [ In reply to ]
dstinnet at vcu
Jun 11, 2021, 8:13 AM
Post #4 of 5 (440 views)
Permalink
Hi Alain,

Thank you very much!
Doug

On Fri, Jun 11, 2021 at 11:07 AM Alain Zidouemba <azidouemba@sourcefire.com>
wrote:

> Thanks for reporting. Will be addressed in the next CVD update.
>
> -Alain
>
> On Fri, Jun 11, 2021 at 10:44 AM Douglas Stinnette <dstinnet@vcu.edu>
> wrote:
>
>>
>> It has been over a year since there was a wide false positive across
>> ClamAV.
>> "/Library/Application Support/Quest/KACE/bin/klog"
>> "Unix.Malware.Macos-9867919-0 FOUND"
>>
>> I do not recall how to address this. Any suggestions would be great.
>> Thanks,
>> Doug
>> --
>>
>>
>> Douglas Stinnette
>>
>> VCU Technology Services
>>
>> Endpoint Security Specialist
>>
>> Virginia Commonwealth University
>>
>> 827-0933
>>
>>
>>
>> Don't be a phishing victim - VCU and other reputable organizations will
>> never use email to request that you reply with your password, Social
>> Security number or confidential personal information. For more details
>> visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--


Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
Re: [clamav-users] KACE false positive [ In reply to ]
clamav-users at lists
Jun 11, 2021, 9:42 AM
Post #5 of 5 (439 views)
Permalink
Hi there,

On Fri, 11 Jun 2021, Douglas Stinnette wrote:

> It has been over a year since there was a wide false positive across ClamAV.
> "/Library/Application Support/Quest/KACE/bin/klog"
> "Unix.Malware.Macos-9867919-0 FOUND"
>
> I do not recall how to address this. Any suggestions would be great.

Additionally, in the interim before the false positive is addressed by
the ClamAV team and the databases are updated, you can create a file
in your local ClamAV database directory which contains the MD5 hash of
the file which is being incorrectly flagged.

https://docs.clamav.net/manual/Signatures/AllowLists.html

Do make sure that it _is_ a false positive before you do that. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal