It is not the CVD files. The versions you list are the same versions as we have up to date [and the daily.cvd is 15708]. I'd wager there is some kind of non-default scan option that is changing the results.
So let's try the easiest one first: how big is the file? If you have raised it past the filescan max size, then default installations will skip it and report OK. Also, can you tell me what your clamscan settings or clamd.conf file settings are? Dave R. On Mon, Dec 10, 2012 at 9:52 AM, Matthias Egger <maeg...@ee.ethz.ch> wrote: > Hello List > > I have a zip file containing a .pptx file which ClamAV claims to be > "BC.Exploit.CVE_2012_1885-1". But virustotal and virscan.org have no > complain at all. > > https://www.virustotal.com/**file/**09c5de164928c88b6ee370677242a4** > d69a00a88ecbd044af656f17fc5466**5fea/analysis/1355131094/<https://www.virustotal.com/file/09c5de164928c88b6ee370677242a4d69a00a88ecbd044af656f17fc54665fea/analysis/1355131094/> > > http://r.virscan.org/report/**45504bdcc2b03dc967c5fedc3e609c**4c.html<http://r.virscan.org/report/45504bdcc2b03dc967c5fedc3e609c4c.html> > > Therefore i beleive it is a false positive. But: > > http://www.clamav.net/lang/en/**sendvirus/submit-fp<http://www.clamav.net/lang/en/sendvirus/submit-fp> > > tells me: > > ------------------------------ > Result: > This file is not detected by ClamAV. Please update your CVD database > before reporting false-positives. If you are using third-party > databases/unofficial signatures, please contact the author of the > signature. We can only process false-positives generated by ClamAV Official > signatures. > > Please correct the above errors and retry. Thank you for helping the > ClamAV project. > ------------------------------ > > * ClamAV 0.97.6/15708/Mon Dec 10 04:27:19 2012 > > * bytecode.cvd: Clam AntiVirus database 07 Dec 2012 11-56 -0500, version > 203, gzipped > * daily.cvd: Clam AntiVirus database 09 Dec 2012 22-27 -0500, version > 1570, gzipped > * main.cvd: Clam AntiVirus database 11 Oct 2011 10-34 -0400, version > 54, gzipped > > > * Here some Debug Output > LibClamAV debug: Bytecode found virus: BC.Exploit.CVE_2012_1885-1 > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: BC.Exploit.CVE_2012_1885-1 found in descriptor 4 > LibClamAV debug: FP SIGNATURE: 5f0acbdb343776f56a64efae302cb5** > 81:177664:BC.Exploit.CVE_2012_**1885-1 > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2388 > LibClamAV debug: FP SIGNATURE: c7054cb8e0d78fbb65929c5fbed889** > ab:22415087:BC.Exploit.CVE_**2012_1885-1 > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350 > > Can somebody tell me anything more? > > Best regards > Matthias > -- > Matthias Egger > ETH Zurich > Department of Information Technology maeg...@ee.ethz.ch > and Electrical Engineering > IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 > Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95 > ______________________________**_________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml> > -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
