Alain, Thanks. I’m particularly interested in why the "Submit false positive report" fails. I checked back and found the same thing happened with a different file and this same infection name a months or so ago.
-Al- On Mon, May 12, 2014 at 07:41 AM, Alain Zidouemba wrote: > > Thanks for sending this in. We are addressing your reported FP. > > - Alain > > > On Sat, May 10, 2014 at 12:24 AM, Al Varnell <alvarn...@mac.com> wrote: > >> Here’s the VirusTotal analysis (1/52) for Rapport-5.dmg which apparently >> has an MD5 = efddf96af90be02bcc9e37cbc21c34a6 >> < >> https://www.virustotal.com/en/file/c3707dd14b766fd5d19daddf19cf57e980ffaa81fec3bec3e4de47bbf7419118/analysis/ >>> . >> >> I asked the OP to upload it to Send a false positive, but not sure they >> will be able to. >> >> -Al- >> >> On May 9, 2014, at 7:53 PM, Al Varnell <alvarn...@mac.com> wrote: >> >>> I don’t have all the information on this yet, but I’ve had two ClamXav >> user complain today of commercial software being identified as infected by >> Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but >> perhaps it was just added today. >>> >>> The first is "accordion.1.6.2(83).dmg", downloaded from < >> http://yourhead.com/accordion/download/index.html> which I verified was >> identified. It’s a RapidWeaver Plug-in from YourHead.com. >>> >>> I submitted it to VirusTotal with the following 1/51 results: >>> < >> https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/ >>> . >>> >>> So I uploaded it to Send a false positive report, but got the following >> response: >>>> Result: >>>> This file is not detected by ClamAV. Please update your CVD database >> before reporting false-positives. If you are using third-party >> databases/unofficial signatures, please contact the author of the >> signature. We can only process false-positives generated by ClamAV Official >> signatures. >>>> >>>> Please correct the above errors and retry. Thank you for helping the >> ClamAV project. >>> >>> I updated definitions and it was still detected as infected. ClamXav >> still using v0.98.1. I’ve had this happen once before, but have no idea >> how it could test positive on two Macs and VirusTotal, but not on your site. >>> >>> MD5 = f247e5f45b7a30ce600be34e66d93fa8 >>> >>> The second file is named "Rapport-5.dmg” which is an older version of >> Trusteer Rapport for Mac. The latest version does not test positive, but >> that’s not surprising to me. I’ve asked the user to upload his file to >> VirusTotal and will post the results once I have them. >>> >>> This is yet another example of OS X .dmg files being falsely identified >> as infected. All of these signatures follow the same pattern of detecting >> multiple strings of characters (mostly the letter “a”) contained in an XML >> section of the .dmg file. I believe this is provided as overhead >> information concerning the file and does not contain any data at all to >> positively identify the contents of the image file. Since the formats of >> the XML portion of the .dmg files are all very similar, I suspect it will >> be extremely difficult to uniquely fingerprint such files by using XML >> strings. >>> >>> >>> -Al- >>> -- >>> Al Varnell >>> Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml