On Tuesday 08 April 2014 21:08:34 Al Varnell did opine: > A ClamXav user contacted me today that the software he developed, > packaged and posted as a .dmg image file had been falsely identified as > Osx.Trojan.Genieo. I believe he had already submitted it to you a few > days ago, but I took the time to verify and upload it again just be be > certain. The file name is CloudCompare-2.5.0.dmg with > MD5=b26d6ac32713795bcdb5f36bb52607a1. > > This is one of several .dmg files that have been found recently that > were falsely identify an infection where the signature is based on > patterns found in an XML section of the .dmg. I believe this section to > be overhead information associated with the .dmg itself, unrelated to > the contents of the mounted image. In examining the XML I notice that > they are all very similar in both format and content, prominently > filled with the letter “A”. I believe all the signatures to have been > produced by the new automated system used with OSX samples a couple of > months ago. It’s probably too early to conclude that the automated > process is inadequate to handle .dmg files, but suggest that it be > looked at. Signature writing is not something I can claim any > experience with, just an observation on my part. > > > -Al-
I believe this to be an FP, my daily run identified that as being part of both the 1.3.8 and 1.4.0 versions of rkhunter.tar.gz. Those 2 archives have been sitting on my drive for yonks/years, but this morning is the first time it was triggered. Cheers, Gene -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
