Mailing List Archive: [clamav-users] false positives for firefox add-ons?

[clamav-users] false positives for firefox add-ons?

Jun 25, 2022, 5:40 AM

Post #1 of 4 (347 views)

Hello altogether, :-)

perhaps there´s someone here who can help me with a curious phenomenon.

Every now and then I scan the directory where all the firefox-related
files reside.
This is my command:

clamscan -i -r
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2

Until now I always received a message that no viruses or malicious files
were found.
Yesterday however (for the first time) I got this (haven´t changed
anything since the last scan):

/ clamscan -i -r
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/

//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/addon@darkreader.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/https-everywhere@eff.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/uMatrix@raymondhill.net.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/addon@darkreader.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/https-everywhere@eff.org.xpi:
Archive.Test.Agent2-9953724-0 FOUND/
//media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/uMatrix@raymondhill.net.xpi:
Archive.Test.Agent2-9953724-0 FOUND/

/----------- SCAN SUMMARY -----------/
/Known viruses: 8619741/
/Engine version: 0.103.6/
/Scanned directories: 3315/
/Scanned files: 10867/
/Infected files: 7/
/Data scanned: 632.66 MB/
/Data read: 489.69 MB (ratio 1.29:1)/
/Time: 320.348 sec (5 m 20 s)/
/Start Date: 2022:06:24 16:36:42/
/End Date: 2022:06:24 16:42:02/

Taking a closer look at the results it seems that some extensions for
firefox were suddenly regarded as a virus of some sort.
They all feature the .xpi extension:

/
//.rw-r--r-- 609k rosika rosika 27 Mai 13:31 addon@darkreader.org.xpi//
//.rw------- 1,8M rosika rosika 14 Jul 2021 https-everywhere@eff.org.xpi//
//.rw------- 1,5M rosika rosika 20 Jul 2021 uMatrix@raymondhill.net.xpi//
//.rw-r--r-- 916k rosika rosika 30 Mai 14:44
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi/

Out of curiosity I submitted them to virustotal and got this:

1.) addon@darkreader.org.xpi:

1 security vendor and no sandboxes flagged this file as malicious (but
only 1 out of 58; perhaps a false positive there as well)

2.) https-everywhere@eff.org.xpi:

No security vendors and no sandboxes flagged this file as malicious (0 / 58)

3.) uMatrix@raymondhill.net.xpi:

No security vendors and no sandboxes flagged this file as malicious (0 / 58)

4.) {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

No security vendors and no sandboxes flagged this file as malicious (0 / 57)

Any ideas why clamscan suddenly marked these files as a virus? It seems
they´re not (according to virustotal).

Thanks a lot in advance for your help.

Many greetings from Rosika :-)

P.S.:

my system: Linux Lubuntu 20.04.4 LTS, 64 bit

Re: [clamav-users] false positives for firefox add-ons? [ In reply to ]

clamav-users at lists

Jun 25, 2022, 5:48 AM

Post #2 of 4 (347 views)

Permalink

This was a false positive as discussed much earlier today on this very same list. It was corrected by a signature update over seven hours ago. Simply run freshclam and your curiosity will be history.

-Al-

> On Jun 25, 2022, at 5:40 AM, Christian <abelschreck3@freenet.de> wrote:
>
> Hello altogether, :-)
>
>
> perhaps there´s someone here who can help me with a curious phenomenon.
>
> Every now and then I scan the directory where all the firefox-related files reside.
> This is my command:
>
>
> clamscan -i -r /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
>
> Until now I always received a message that no viruses or malicious files were found.
> Yesterday however (for the first time) I got this (haven´t changed anything since the last scan):
>
>
>
> clamscan -i -r /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2
>
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/addon@darkreader.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/https-everywhere@eff.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/b6j58n9u.default/extensions/uMatrix@raymondhill.net.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/addon@darkreader.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/https-everywhere@eff.org.xpi: Archive.Test.Agent2-9953724-0 FOUND
> /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2/.mozilla/firefox/54d09uby.default-release/extensions/uMatrix@raymondhill.net.xpi: Archive.Test.Agent2-9953724-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8619741
> Engine version: 0.103.6
> Scanned directories: 3315
> Scanned files: 10867
> Infected files: 7
> Data scanned: 632.66 MB
> Data read: 489.69 MB (ratio 1.29:1)
> Time: 320.348 sec (5 m 20 s)
> Start Date: 2022:06:24 16:36:42
> End Date: 2022:06:24 16:42:02
>
>
> Taking a closer look at the results it seems that some extensions for firefox were suddenly regarded as a virus of some sort.
> They all feature the .xpi extension:
>
>
> .rw-r--r-- 609k rosika rosika 27 Mai 13:31 addon@darkreader.org.xpi <mailto:addon@darkreader.org.xpi>
> .rw------- 1,8M rosika rosika 14 Jul 2021 https-everywhere@eff.org.xpi <mailto:https-everywhere@eff.org.xpi>
> .rw------- 1,5M rosika rosika 20 Jul 2021 uMatrix@raymondhill.net.xpi <mailto:uMatrix@raymondhill.net.xpi>
> .rw-r--r-- 916k rosika rosika 30 Mai 14:44 {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
>
> Out of curiosity I submitted them to virustotal and got this:
>
> 1.) addon@darkreader.org.xpi: <>
> 1 security vendor and no sandboxes flagged this file as malicious (but only 1 out of 58; perhaps a false positive there as well)
>
>
> 2.) https-everywhere@eff.org.xpi <mailto:https-everywhere@eff.org.xpi>:
>
> No security vendors and no sandboxes flagged this file as malicious (0 / 58)
>
>
>
>
> 3.) uMatrix@raymondhill.net.xpi <mailto:uMatrix@raymondhill.net.xpi>:
>
> No security vendors and no sandboxes flagged this file as malicious (0 / 58)
>
>
>
>
> 4.) {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
>
> No security vendors and no sandboxes flagged this file as malicious (0 / 57)
>
>
>
>
> Any ideas why clamscan suddenly marked these files as a virus? It seems they´re not (according to virustotal).
>
> Thanks a lot in advance for your help.
>
> Many greetings from Rosika :-)
>
>
>
>
>
> P.S.:
>
> my system: Linux Lubuntu 20.04.4 LTS, 64 bit
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.

Re: [clamav-users] false positives for firefox add-ons? [ In reply to ]

clamav-users at lists

Jun 25, 2022, 5:54 AM

Post #3 of 4 (347 views)

Permalink

Hi there,

On Sat, 25 Jun 2022, Christian wrote:

> ...
> Archive.Test.Agent2-9953724-0 FOUND/
> ...

A false positive, as it turns out this is a signature which should never have been published:

https://lists.clamav.net/pipermail/clamav-users/2022-June/012731.html

It should go away on the next database reload.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] false positives for firefox add-ons? [ In reply to ]

abelschreck3 at freenet

Jun 26, 2022, 5:57 AM

Post #4 of 4 (345 views)

Permalink

Hi altogether,

thanks so much for your answers. :-)

It´s quite a relief to get a confirmation by you that the files I was
referring to were false positives indeed.
Thanks a lot.

@Al:

> This was a false positive as discussed much earlier today on this
very same list

Oh, I missed that. Sorry for the inconvenience.

In the meantime (after "freshclam") those files aren´t recognized as
positives any longer. Great!

@Ged:

> It should go away on the next database reload.

Right. Everything´s o.k. now.

Thanks again to all of you.

Many greetings
Rosika :-)

Mailing List Archive

Mailing List Archive

Attached Files: