clamav-users May 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] Osx.Trojan.FkCodec-1 False Posi

Re: [clamav-users] Osx.Trojan.FkCodec-1 False Positives

From: Alain Zidouemba <azidouemba_at_nospam>
Date: Mon May 12 2014 - 14:41:30 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>

Thanks for sending this in. We are addressing your reported FP.

- Alain

On Sat, May 10, 2014 at 12:24 AM, Al Varnell <alvarnell@mac.com> wrote:

> Here’s the VirusTotal analysis (1/52) for Rapport-5.dmg which apparently
> has an MD5 = efddf96af90be02bcc9e37cbc21c34a6
> <
> https://www.virustotal.com/en/file/c3707dd14b766fd5d19daddf19cf57e980ffaa81fec3bec3e4de47bbf7419118/analysis/
> >.
>
> I asked the OP to upload it to Send a false positive, but not sure they
> will be able to.
>
> -Al-
>
> On May 9, 2014, at 7:53 PM, Al Varnell <alvarnell@mac.com> wrote:
>
> > I don’t have all the information on this yet, but I’ve had two ClamXav
> user complain today of commercial software being identified as infected by
> Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but
> perhaps it was just added today.
> >
> > The first is "accordion.1.6.2(83).dmg", downloaded from <
> http://yourhead.com/accordion/download/index.html> which I verified was
> identified. It’s a RapidWeaver Plug-in from YourHead.com.
> >
> > I submitted it to VirusTotal with the following 1/51 results:
> > <
> https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/
> >.
> >
> > So I uploaded it to Send a false positive report, but got the following
> response:
> >> Result:
> >> This file is not detected by ClamAV. Please update your CVD database
> before reporting false-positives. If you are using third-party
> databases/unofficial signatures, please contact the author of the
> signature. We can only process false-positives generated by ClamAV Official
> signatures.
> >>
> >> Please correct the above errors and retry. Thank you for helping the
> ClamAV project.
> >
> > I updated definitions and it was still detected as infected. ClamXav
> still using v0.98.1. I’ve had this happen once before, but have no idea
> how it could test positive on two Macs and VirusTotal, but not on your site.
> >
> > MD5 = f247e5f45b7a30ce600be34e66d93fa8
> >
> > The second file is named "Rapport-5.dmg” which is an older version of
> Trusteer Rapport for Mac. The latest version does not test positive, but
> that’s not surprising to me. I’ve asked the user to upload his file to
> VirusTotal and will post the results once I have them.
> >
> > This is yet another example of OS X .dmg files being falsely identified
> as infected. All of these signatures follow the same pattern of detecting
> multiple strings of characters (mostly the letter “a”) contained in an XML
> section of the .dmg file. I believe this is provided as overhead
> information concerning the file and does not contain any data at all to
> positively identify the contents of the image file. Since the formats of
> the XML portion of the .dmg files are all very similar, I suspect it will
> be extremely difficult to uniquely fingerprint such files by using XML
> strings.
> >
> >
> > -Al-
> > --
> > Al Varnell
> > Mountain View, CA
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml