On 5/23/2018 4:43 AM, Tilman Schmidt wrote: > We're getting frequent false positives from ClamAV for > Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS. > Googling that virus name only turns up a few hits on virscan.org which > seem to be indicating a tendency of that signature to trigger on > logfiles and the like, but no actual information about the threat. > > What is that signature trying to detect? > Is this a Known Problem? > What's the best way handle it? >
This signature looks for a string of binary characters. It's not generally useful to run clamscan on pseudo-random data such as a tcpdumps, logfiles, raw disk images, etc. False positives can be expected from signatures that look for strings of binary characters. You can tell clam to ignore this particular signature by adding the name to a text file named local.ign2 (or any name ending in .ign2) in the same directory where the clam databases live. # local.ign2 Win.Exploit.Unicode_Mixed-1 However, I wouldn't be surprised if the dump starts hitting some other binary signature if you ignore this one. I think the best way to handle this is "don't scan pseudo-random files" -- Noel Jones _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
