Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Re: Again False Positive for BC.Exploit.CVE_2012_1847 ?

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


david.alix at isc

May 23, 2012, 9:18 AM

Post #1 of 3 (523 views)
Permalink
Re: Again False Positive for BC.Exploit.CVE_2012_1847 ?
Bytecode 184 went onto my system at 8:45 this morning. As of 9:05 I am
still getting BC_Exploit.CVE_2012_1847 rejections. I do not quarantine (I
reject) viruses, so I don't have a copy to send in.

Could this be a latency problem - could not all of the mimedefang.pl
daemons have picked up the new Bytecode? I have a minimum of 20 processes
running.

Thanks

David

--On Wednesday, May 23, 2012 11:38 AM -0400 Joel Esler
<jesler [at] sourcefire> wrote:

> I assume you've ran freshclam since then. So, if so, then no.
>
> Please send the file into us via the clamav.net FP reporter, and email us
> back with the md5 and we'll take a look.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> On May 23, 2012, at 11:18 AM, Matthias Egger wrote:
>
>> Hello
>>
>> I have a Quarantained (amavisd-new) email with an Excel Attachment.
>> clamav thinks it matches against BC.Exploit.CVE_2012_1847
>>
>> Sophos doesn't complain and when i send the excel file to virustotal. no
>> other virusscanner complains about that.
>>
>> So is this the same problem we had on May 11th?
>>
>> Best regards
>> Matthias
>> --
>> Matthias Egger
>> ETH Zurich
>> Department of Information Technology maegger [at] ee
>> and Electrical Engineering
>> IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90
>> Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml



___________________________________
David Alix
Information Systems and Computing
David.Alix [at] isc
(805)893-4456
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


david.alix at isc

May 23, 2012, 10:01 AM

Post #2 of 3 (509 views)
Permalink
Re: Again False Positive for BC.Exploit.CVE_2012_1847 ? [In reply to]
It looks like it was a latency problem. Restarting my mimedefang daemon
fixed the problem.

Thanks

David


--On Wednesday, May 23, 2012 9:18 AM -0700 David Alix
<david.alix [at] isc> wrote:

> Bytecode 184 went onto my system at 8:45 this morning. As of 9:05 I am
> still getting BC_Exploit.CVE_2012_1847 rejections. I do not quarantine
> (I reject) viruses, so I don't have a copy to send in.
>
> Could this be a latency problem - could not all of the mimedefang.pl
> daemons have picked up the new Bytecode? I have a minimum of 20
> processes running.
>
> Thanks
>
> David
>
> --On Wednesday, May 23, 2012 11:38 AM -0400 Joel Esler
> <jesler [at] sourcefire> wrote:
>
>> I assume you've ran freshclam since then. So, if so, then no.
>>
>> Please send the file into us via the clamav.net FP reporter, and email us
>> back with the md5 and we'll take a look.
>>
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>
>> On May 23, 2012, at 11:18 AM, Matthias Egger wrote:
>>
>>> Hello
>>>
>>> I have a Quarantained (amavisd-new) email with an Excel Attachment.
>>> clamav thinks it matches against BC.Exploit.CVE_2012_1847
>>>
>>> Sophos doesn't complain and when i send the excel file to virustotal. no
>>> other virusscanner complains about that.
>>>
>>> So is this the same problem we had on May 11th?
>>>
>>> Best regards
>>> Matthias
>>> --
>>> Matthias Egger
>>> ETH Zurich
>>> Department of Information Technology maegger [at] ee
>>> and Electrical Engineering
>>> IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90
>>> Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>>> http://www.clamav.net/support/ml
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>
>
>
> ___________________________________
> David Alix
> Information Systems and Computing
> David.Alix [at] isc
> (805)893-4456
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml



___________________________________
David Alix
Information Systems and Computing
David.Alix [at] isc
(805)893-4456
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jesler at sourcefire

May 24, 2012, 3:45 PM

Post #3 of 3 (422 views)
Permalink
Re: Again False Positive for BC.Exploit.CVE_2012_1847 ? [In reply to]
On Wed, May 23, 2012 at 10:01:37AM -0700, David Alix wrote:
>
> It looks like it was a latency problem. Restarting my mimedefang
> daemon fixed the problem.
>


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.