clamav-users May 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] Unable to submit false positive

Re: [clamav-users] Unable to submit false positive for bug54682.phpt PHP.Exploit.CVE_2011_4153-3

From: Bill Bennert <bill_at_nospam>
Date: Fri May 09 2014 - 18:17:19 GMT
To: clamav-users@lists.clamav.net

Hi Alain,
  I greatly appreciate your time in confirming this. In response, I did
some additional research and understand that it is a true positive since
the file runs a test for that exact condition. Would white-listing it
using a file signature hash be valid measure, or would that a bad idea?
This is the first time I've encountered a true positive on a file I
would normally keep and want to make sure I handle it appropriately.

Thank you,
-Bill

On 05/09/2014 01:04 PM, Alain Zidouemba wrote:
> Bill,
>
> The ClamAV alert for the test file you provided is not a false positive. It
> is actually a true positive.
>
> - Alain
>
>
> On Fri, May 9, 2014 at 9:25 AM, Alain Zidouemba
> <azidouemba@sourcefire.com>wrote:
>
>> We are looking into it and will get back to you shortly.
>>
>> - Alain
>>
>>
>> On Fri, May 9, 2014 at 9:06 AM, Bill Bennert <bill@webreply.com> wrote:
>>
>>> The clamav false positive submission system will not accept my entry and
>>> says that it is not detected by ClamAV. This is not a virus, not
>>> malware, this is a PHP test file for the PHP source. The released
>>> version for my dist is 0.98.1 but the submission system said to use the
>>> latest version, so I compiled 0.98.3 and came up with the same results
>>> on the latest database. Now I'm posting here to hopefully get it into
>>> the false positive list upon confirmation. If this is not the right
>>> place to post it, please point me in the right direction. After a lot of
>>> searches I have been unable to find any other real reference to this
>>> issue.
>>>
>>> This is the test file in the PHP git repository.
>>> https://github.com/php/php-src/blob/master/ext/tidy/tests/bug54682.phpt
>>>
>>> Adding the -z flag to clamscan will make it visible. With no options
>>> clamscan sees the file as OK.
>>>
>>> $ clamscan -z /opt/wr-php/php-src/ext/tidy/tests/bug54682.phpt
>>> /opt/wr-php/php-src/ext/tidy/tests/bug54682.phpt:
>>> PHP.Exploit.CVE_2011_4153-3 FOUND
>>>
>>> ----------- SCAN SUMMARY -----------
>>> Known viruses: 3358731
>>> Engine version: 0.98.1
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 1
>>> Data scanned: 0.00 MB
>>> Data read: 0.00 MB (ratio 0.00:1)
>>> Time: 10.410 sec (0 m 10 s)
>>>
>>> The only other possible record of this issue I was able to find is the
>>> following. No guarantee it's actually related, since the thread dies
>>> almost instantly with no resolution:
>>> http://www.gossamer-threads.com/lists/clamav/users/56288
>>>
>>> Thank you for your help,
>>> -Bill
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> http://www.clamav.net/support/ml
>>>
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml