On Tue, Apr 08, 2014 at 06:38 PM, Gene Heskett wrote: > > On Tuesday 08 April 2014 21:36:21 Gene Heskett did opine: > >> On Tuesday 08 April 2014 21:08:34 Al Varnell did opine: >>> A ClamXav user contacted me today that the software he developed, >>> packaged and posted as a .dmg image file had been falsely identified >>> as Osx.Trojan.Genieo. I believe he had already submitted it to you a >>> few days ago, but I took the time to verify and upload it again just >>> be be certain. The file name is CloudCompare-2.5.0.dmg with >>> MD5=b26d6ac32713795bcdb5f36bb52607a1. >>> >>> This is one of several .dmg files that have been found recently that >>> were falsely identify an infection where the signature is based on >>> patterns found in an XML section of the .dmg. I believe this section >>> to be overhead information associated with the .dmg itself, unrelated >>> to the contents of the mounted image. In examining the XML I notice >>> that they are all very similar in both format and content, >>> prominently filled with the letter “A”. I believe all the signatures >>> to have been produced by the new automated system used with OSX >>> samples a couple of months ago. It’s probably too early to conclude >>> that the automated process is inadequate to handle .dmg files, but >>> suggest that it be looked at. Signature writing is not something I >>> can claim any experience with, just an observation on my part. >>> >>> >>> -Al- >> >> I believe this to be an FP, my daily run identified that as being part >> of both the 1.3.8 and 1.4.0 versions of rkhunter.tar.gz. Those 2 >> archives have been sitting on my drive for yonks/years, but this >> morning is the first time it was triggered.
The CloudCompare issue was apparently cleared up this afternoon by the removal of that signature from the ClamAC® database. > I was mistaken because the names were so similar, it was: > /home/gene/Download/rkhunter-1.4.0.tar.gz: Osx.Worm.Inqtana-3 FOUND > > which was also reported for the tarball.gz of 1.3.8 in that same directory I see why. rkhunter has tests for OSX Inqtana and Variants A & B look for the same two ASCII strings as the ClamAV® signature you mentioned. I’m going to obfuscate them slightly to prevent this message from being identified, but they are: worms.love.apples worm-support Just substitute “0” for “o” in worm. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml