Mailing List Archive

Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0
>
> Hi
>
> We are seeing lot of false positives being generated from this signature.
> Java.Malware.CVE_2021_44228-9915814-0
> which has resulted in the quarantine of a lot of java applications running
> in our environments.
>
> It seems for this CVE there are other signatures as well which detects
> this - Exploit.CVE_2021_44228-9914600 and Exploit.CVE_2021_44228-9914601
>
> So, this one Java.Malware.CVE_2021_44228-9915814-0 is kind of redundant
> and since it is generating a lot of false positives also, please remove
> this from the daily.cld.
>
> I have also submitted a false positive report for the same.
> Can someone please check and take appropriate action on this?
>
Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0 [ In reply to ]
Hi Puneet,

Thank you for submitting the FP reports through our web form.
Our malware research team is actively working on improving the signatures related to CVE-2021-44228.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Puneet Bhootra via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, December 16, 2021 11:32 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Puneet Bhootra <pbhootra@salesforce.com>; Himanshu Kumar <himanshukumar@salesforce.com>
Subject: Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0

Hi

We are seeing lot of false positives being generated from this signature.
Java.Malware.CVE_2021_44228-9915814-0
which has resulted in the quarantine of a lot of java applications running in our environments.

It seems for this CVE there are other signatures as well which detects this - Exploit.CVE_2021_44228-9914600 and Exploit.CVE_2021_44228-9914601

So, this one Java.Malware.CVE_2021_44228-9915814-0 is kind of redundant and since it is generating a lot of false positives also, please remove this from the daily.cld.

I have also submitted a false positive report for the same.
Can someone please check and take appropriate action on this?
Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0 [ In reply to ]
Hi

Is there any update on whether this has been resolved? I see many
signatures related to this CVE.
Also, since this is an exploit/vulnerability, is ClamAV supposed to detect
this considering its a malware/virus detection tool.

Regards
Puneet

On Fri, Dec 17, 2021 at 3:30 AM Micah Snyder (micasnyd) <micasnyd@cisco.com>
wrote:

> Hi Puneet,
>
> Thank you for submitting the FP reports through our web form.
> Our malware research team is actively working on improving the signatures
> related to CVE-2021-44228.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of
> Puneet Bhootra via clamav-users <clamav-users@lists.clamav.net>
> *Sent:* Thursday, December 16, 2021 11:32 AM
> *To:* clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
> *Cc:* Puneet Bhootra <pbhootra@salesforce.com>; Himanshu Kumar <
> himanshukumar@salesforce.com>
> *Subject:* Re: [clamav-users] Lot of false positives detected from
> signature Java.Malware.CVE_2021_44228-9915814-0
>
>
> Hi
>
> We are seeing lot of false positives being generated from this signature.
> Java.Malware.CVE_2021_44228-9915814-0
> which has resulted in the quarantine of a lot of java applications running
> in our environments.
>
> It seems for this CVE there are other signatures as well which detects
> this - Exploit.CVE_2021_44228-9914600 and Exploit.CVE_2021_44228-9914601
>
> So, this one Java.Malware.CVE_2021_44228-9915814-0 is kind of redundant
> and since it is generating a lot of false positives also, please remove
> this from the daily.cld.
>
> I have also submitted a false positive report for the same.
> Can someone please check and take appropriate action on this?
>
>

--

<https://smart.salesforce.com/sig/pbhootra//us_mb/default/link.html>
Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0 [ In reply to ]
Hi Puneet,

Java.Malware.CVE_2021_44228-9915814-0 has been revised to
Java.Malware.CVE_2021_44228-9915814-2 (revision 2). Please ensure you're
using the latest daily CVD.

Signatures are targeting malware leveraging CVE-2021-44228, in addition to
targeting resulting payload Java classes.

On Mon, Dec 20, 2021 at 12:38 PM Puneet Bhootra via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi
>
> Is there any update on whether this has been resolved? I see many
> signatures related to this CVE.
> Also, since this is an exploit/vulnerability, is ClamAV supposed to detect
> this considering its a malware/virus detection tool.
>
> Regards
> Puneet
>
> On Fri, Dec 17, 2021 at 3:30 AM Micah Snyder (micasnyd) <
> micasnyd@cisco.com> wrote:
>
>> Hi Puneet,
>>
>> Thank you for submitting the FP reports through our web form.
>> Our malware research team is actively working on improving the signatures
>> related to CVE-2021-44228.
>>
>> Regards,
>> Micah
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> ------------------------------
>> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> on behalf
>> of Puneet Bhootra via clamav-users <clamav-users@lists.clamav.net>
>> *Sent:* Thursday, December 16, 2021 11:32 AM
>> *To:* clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
>> *Cc:* Puneet Bhootra <pbhootra@salesforce.com>; Himanshu Kumar <
>> himanshukumar@salesforce.com>
>> *Subject:* Re: [clamav-users] Lot of false positives detected from
>> signature Java.Malware.CVE_2021_44228-9915814-0
>>
>>
>> Hi
>>
>> We are seeing lot of false positives being generated from this signature.
>> Java.Malware.CVE_2021_44228-9915814-0
>> which has resulted in the quarantine of a lot of java applications
>> running in our environments.
>>
>> It seems for this CVE there are other signatures as well which detects
>> this - Exploit.CVE_2021_44228-9914600 and Exploit.CVE_2021_44228-9914601
>>
>> So, this one Java.Malware.CVE_2021_44228-9915814-0 is kind of redundant
>> and since it is generating a lot of false positives also, please remove
>> this from the daily.cld.
>>
>> I have also submitted a false positive report for the same.
>> Can someone please check and take appropriate action on this?
>>
>>
>
> --
>
> <https://smart.salesforce.com/sig/pbhootra//us_mb/default/link.html>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975