micah anderson wrote:
Ok, so the *real* false positive I wanted to report earlier was confusing, because the entire issue is confusing. So have a look at this URL: http://micah.riseup.net/pastes/2010-02-26T112912
Hi Micah, Fixed (in the next update in about 30 mins)
Sanesecurity.Malware.10794 looks like this: :ffff0000ffff7265706f7274726164696f2e636f6dA couple of odd things to note here: 1. there are some weird characters at the beginning of the domain that is in that signature. The web page above may not represent them correctly, see for yourself when you run clamav-unofficial-sigs.sh -d on Sanesecurity.Malware.10794. Are these supposed to be there? Perhaps they are because this is meant to catch a binary of some sort?
The "code" at the beginning ie. "ffff0000ffff" means it's been reported as an FP and effectively removed. At a later
date I'll go through them and remove it/replace it, totally.
3. More strange is that Sanesecurity.Junk.10689 has the same domain string in it, although without the odd binary characters at the front. Are these supposed to be duplicates? If so, the issue in #2 needsto be fixed in this signature as well.
The Junk signature has now been fixed as well.
What I think what has happened with the Junk.xxxx signatures to confuse the situation, is that their position changed within the file, no doubt accidentally, as I usually keep them with the sameWhat is going on here? I'm happy to provide any clarification, I'm sorry this is confusing, I tried to detail it as clearly as possible by separating out the issues.
line number.If you grab the updates again, say in a couple of hours, try a re-scan on your samples and see if the problem has now been fixed.
Sorry again for the confusion, Cheers, Steve Sanesecurity