I don’t have all the information on this yet, but I’ve had two ClamXav user complain today of commercial software being identified as infected by Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but perhaps it was just added today.
The first is "accordion.1.6.2(83).dmg", downloaded from <http://yourhead.com/accordion/download/index.html> which I verified was identified. It’s a RapidWeaver Plug-in from YourHead.com. I submitted it to VirusTotal with the following 1/51 results: <https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/>. So I uploaded it to Send a false positive report, but got the following response: > Result: > This file is not detected by ClamAV. Please update your CVD database before > reporting false-positives. If you are using third-party databases/unofficial > signatures, please contact the author of the signature. We can only process > false-positives generated by ClamAV Official signatures. > > Please correct the above errors and retry. Thank you for helping the ClamAV > project. I updated definitions and it was still detected as infected. ClamXav still using v0.98.1. I’ve had this happen once before, but have no idea how it could test positive on two Macs and VirusTotal, but not on your site. MD5 = f247e5f45b7a30ce600be34e66d93fa8 The second file is named "Rapport-5.dmg” which is an older version of Trusteer Rapport for Mac. The latest version does not test positive, but that’s not surprising to me. I’ve asked the user to upload his file to VirusTotal and will post the results once I have them. This is yet another example of OS X .dmg files being falsely identified as infected. All of these signatures follow the same pattern of detecting multiple strings of characters (mostly the letter “a”) contained in an XML section of the .dmg file. I believe this is provided as overhead information concerning the file and does not contain any data at all to positively identify the contents of the image file. Since the formats of the XML portion of the .dmg files are all very similar, I suspect it will be extremely difficult to uniquely fingerprint such files by using XML strings. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
