Resending in case the first doesn't get through... On Wed, May 23, 2018 at 07:38 AM, Noel Jones wrote: > On 5/23/2018 4:43 AM, Tilman Schmidt wrote: >> We're getting frequent false positives from ClamAV for >> Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS. >> Googling that virus name only turns up a few hits on virscan.org >> <http://virscan.org/> which >> seem to be indicating a tendency of that signature to trigger on >> logfiles and the like, but no actual information about the threat. >> >> What is that signature trying to detect? >> Is this a Known Problem? >> What's the best way handle it? >> > > This signature looks for a string of binary characters.
It could also be a string of ASCII characters (not included to prevent this e-mail as being detected as infected) but the same advise would apply. > It's not generally useful to run clamscan on pseudo-random data such > as a tcpdumps, logfiles, raw disk images, etc. False positives can > be expected from signatures that look for strings of binary characters. > > You can tell clam to ignore this particular signature by adding the > name to a text file named local.ign2 (or any name ending in .ign2) > in the same directory where the clam databases live. > > # local.ign2 > Win.Exploit.Unicode_Mixed-1 > > However, I wouldn't be surprised if the dump starts hitting some > other binary signature if you ignore this one. > > I think the best way to handle this is "don't scan pseudo-random files" > > > > -- Noel Jones
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
