[sanesecurity] Re: Sanesecurity.Junk.11781.UNOFFICIAL
- From: Steve Basford <steveb_clamav@xxxxxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Sat, 27 Feb 2010 11:23:53 +0000
micah anderson wrote:
Ok, so the *real* false positive I wanted to report earlier was
confusing, because the entire issue is confusing. So have a look at this
URL:
http://micah.riseup.net/pastes/2010-02-26T112912
Hi Micah,
Fixed (in the next update in about 30 mins)
A couple of odd things to note here:
1. there are some weird characters at the beginning of the domain that
is in that signature. The web page above may not represent them
correctly, see for yourself when you run clamav-unofficial-sigs.sh -d on
Sanesecurity.Malware.10794. Are these supposed to be there? Perhaps they
are because this is meant to catch a binary of some sort?
Sanesecurity.Malware.10794 looks like this:
:ffff0000ffff7265706f7274726164696f2e636f6d
The "code" at the beginning ie. "ffff0000ffff" means it's been reported
as an FP and effectively removed. At a later
date I'll go through them and remove it/replace it, totally.
3. More strange is that Sanesecurity.Junk.10689 has the same domain
string in it, although without the odd binary characters at the
front. Are these supposed to be duplicates? If so, the issue in #2 needs
to be fixed in this signature as well.
The Junk signature has now been fixed as well.
What is going on here? I'm happy to provide any clarification, I'm sorry
this is confusing, I tried to detail it as clearly as possible by
separating out the issues.
What I think what has happened with the Junk.xxxx signatures to confuse
the situation, is that their position changed within the file, no doubt
accidentally, as I usually keep them with the same
line number.
If you grab the updates again, say in a couple of hours, try a re-scan
on your samples and see if the problem has now been fixed.
Sorry again for the confusion,
Cheers,
Steve
Sanesecurity
Other related posts:
