date:20161226

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Al Varnell

No, Daily - 22782 says Win.Trojan.Toa-5368540-0 is a New signature, not one of 
the 11,296 dropped.

-Al-

On Mon, Dec 26, 2016 at 08:11 PM, Joel Esler (jesler) wrote:
> 
> I believe that signature has been dropped.  


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Usage questions on local.ign2

2016-12-26 Thread Al Varnell


On Mon, Dec 26, 2016 at 08:24 PM, Mark Foley wrote:
> 
> For my clamscan cron job, I turned on --detect-pua=yes. While it did detect 
> some
> genuinely infected files, it also turned up a lot of false positives for
> PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. 
> 
> In searching for a way to block just these specific PUA signatures, I found
> several reference on the web to putting these names in 
> /var/lib/clamav/local.ign2:
> 
> PUA.Win.Trojan.EmbeddedPDF-1
> PUA.Pdf.Trojan.EmbeddedJavaScript-1
> 
> I found nothing in any of my clamav documentation mentioning this file (I'm
> running 0.99.2). However, that local.ign2 file did work. 
>  
> Question 1: is the use of this file officially documented anywhere? Likewise 
> for
> another file mentioned, whitelist.ign2?

It’s in the signatures.pdf documentation, para 3.9. You can call it anything 
you want as long as the file extension is “.ign2”.

> Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
> this local.ign2 file to exclude these signatures?

Yes.

> Question 3: Given the recent dialog in this list about false positives, could
> the Win.Trojan.Toa- signatures be added to this file for at least 
> temporary
> ignoring?

They can (and have been for ClamXav) but given that these are being dropped as 
we speak, it’s probably not worth the effort.

> I tried adding the several distinct ones found on my system and, upon
> starting clamscan got the errors:
> 
> LibClamAV Error: cli_loadign: No signature name provided
> LibClamAV Error: cli_loadign: Problem parsing database at line 17
> LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
> LibClamAV Error: cli_loaddbdir(): error loading database
> /var/lib/clamav/local.ign2
> ERROR: Malformed database
> 
> Further research showed that the format for entries in local.ign2 is
> 
> Repository.Name.Number
> 
> Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work.  Not sure 
> what
> the correct syntax would be for these Win.Trojan.Toa culprits, if this 
> mechanism
> would even work for these at all. 

That will work, so you must have a typo of some sort at line 17.

-Al-

> 
> Thanks, --Mark


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Usage questions on local.ign2

2016-12-26 Thread Mark Foley

For my clamscan cron job, I turned on --detect-pua=yes. While it did detect some
genuinely infected files, it also turned up a lot of false positives for
PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. 

In searching for a way to block just these specific PUA signatures, I found
several reference on the web to putting these names in 
/var/lib/clamav/local.ign2:

PUA.Win.Trojan.EmbeddedPDF-1
PUA.Pdf.Trojan.EmbeddedJavaScript-1

I found nothing in any of my clamav documentation mentioning this file (I'm
running 0.99.2). However, that local.ign2 file did work. 

Question 1: is the use of this file officially documented anywhere? Likewise for
another file mentioned, whitelist.ign2?

Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
this local.ign2 file to exclude these signatures?

Question 3: Given the recent dialog in this list about false positives, could
the Win.Trojan.Toa- signatures be added to this file for at least temporary
ignoring? I tried adding the several distinct ones found on my system and, upon
starting clamscan got the errors:

LibClamAV Error: cli_loadign: No signature name provided
LibClamAV Error: cli_loadign: Problem parsing database at line 17
LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database
/var/lib/clamav/local.ign2
ERROR: Malformed database

Further research showed that the format for entries in local.ign2 is

Repository.Name.Number

Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work.  Not sure what
the correct syntax would be for these Win.Trojan.Toa culprits, if this mechanism
would even work for these at all. 

Thanks, --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Joel Esler (jesler)

I believe that signature has been dropped.  

--
Sent from my iPhone

> On Dec 26, 2016, at 11:08 PM, Christian Balzer  wrote:
> 
> 
> Hello,
> 
>> On Tue, 27 Dec 2016 03:06:31 + Joel Esler (jesler) wrote:
>> 
>> We QA against thousands of clean files for each signature.  But we don't 
>> have s copy of every foe in the world to QA against.  
>> 
>> When people send in false positives, if we determine them to be actually 
>> clean, we add them to the FP farm as well.  That's why FPs are important to 
>> send in, not just to clean current FPs, but to prevent future ones.   
>> 
> 
> Don't have a sample (confidential file), but I have confirmation that this
> was indeed an Excel .xlsm file.
> Given the senders/recipients of the other Win.Trojan.Toa-5368540-0 FPs,
> I'm willing to bet real money that it was the same type.
> 
> Christian
> 
>> --
>> Sent from my iPhone
>> 
>>> On Dec 26, 2016, at 9:27 PM, Christian Balzer  wrote:
>>> 
>>> 
>>> Hello Al,
>>> 
 On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote:
 
 Although most, if not all the Win.Trojan.Toa old signatures were either 
 dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so 
 that would appear to be a new issue.
 
>>> Be that as it may, I'd say this isn't a new issue as such but a
>>> continuation of what is clearly insufficient QA with these signatures.
>>> 
>>> I'd love to be more helpful, but since this are large mails I don't have a
>>> complete bounce (Exim suppresses those over 100KB) and I don't have easy
>>> access to any of the senders.
>>> But it's with near certainty some attachment in a MS file format that
>>> triggers these.
>>> 
>>> Regards,
>>> 
>>> Christian
>>> 
 -Al-
 
> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
> 
> Hello,
> 
>> On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote:
>> 
>> 
>>> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
>>> In keeping with the other false positive reports I have more than 400
>>> CentOS servers report below after yesterday's freshclam update:
>> 
>> Yes, nashorn.jar seems to get hit too...
>> 
>> eg:
>> 
>> fp2\11476331d01: Win.Trojan.Toa-5372078-0
>> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
>> fp2\3A627716d01: Win.Trojan.Toa-5372078-0
>> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
>> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
>> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
>> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
>> 
>> and the earlier reported FP's are still there:
>> 
>> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
>> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
>> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
>> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
>> fp\omni.ja: Win.Trojan.Toa-5370166-0
>> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
>> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
>> 
>> etc.
>> 
>> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing 
>> done
>> in full after holidays.
>> 
> I can only second that.
> And add Win.Trojan.Toa-5368540-0 to the list of FPs.
> 
> At this rate the previous bit about "Clamscan becoming its own worst
> enemy." can not be underestimated.
> This is the 2nd, VERY visible FP avalanche in so many months and since it
> affects a lot of people here including internal business mails.
> Reflecting badly on all OSS projects and SW.
> 
> Christian
> 
>> As the issues go on...
>> 
>> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
>> 
>> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0
>>> 
>>> 
>>> -- 
>>> Christian BalzerNetwork/Systems Engineer
>>> ch...@gol.com   Global OnLine Japan/Rakuten Communications
>>> http://www.gol.com/
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> 
> 
> -- 
> Christian BalzerNetwork/Systems Engineer
> ch...@gol.com   Global OnLine Japan/Rakuten Communications
> http://www.gol.com/
___
clamav-user

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Christian Balzer


Hello,

On Tue, 27 Dec 2016 03:06:31 + Joel Esler (jesler) wrote:

> We QA against thousands of clean files for each signature.  But we don't have 
> s copy of every foe in the world to QA against.  
> 
> When people send in false positives, if we determine them to be actually 
> clean, we add them to the FP farm as well.  That's why FPs are important to 
> send in, not just to clean current FPs, but to prevent future ones.   
>

Don't have a sample (confidential file), but I have confirmation that this
was indeed an Excel .xlsm file.
Given the senders/recipients of the other Win.Trojan.Toa-5368540-0 FPs,
I'm willing to bet real money that it was the same type.

Christian

> --
> Sent from my iPhone
> 
> > On Dec 26, 2016, at 9:27 PM, Christian Balzer  wrote:
> > 
> > 
> > Hello Al,
> > 
> >> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote:
> >> 
> >> Although most, if not all the Win.Trojan.Toa old signatures were either 
> >> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so 
> >> that would appear to be a new issue.
> >> 
> > Be that as it may, I'd say this isn't a new issue as such but a
> > continuation of what is clearly insufficient QA with these signatures.
> > 
> > I'd love to be more helpful, but since this are large mails I don't have a
> > complete bounce (Exim suppresses those over 100KB) and I don't have easy
> > access to any of the senders.
> > But it's with near certainty some attachment in a MS file format that
> > triggers these.
> > 
> > Regards,
> > 
> > Christian
> > 
> >> -Al-
> >> 
> >>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
> >>> 
> >>> Hello,
> >>> 
>  On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote:
>  
>  
> > On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> > In keeping with the other false positive reports I have more than 400
> > CentOS servers report below after yesterday's freshclam update:
>  
>  Yes, nashorn.jar seems to get hit too...
>  
>  eg:
>  
>  fp2\11476331d01: Win.Trojan.Toa-5372078-0
>  fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
>  fp2\3A627716d01: Win.Trojan.Toa-5372078-0
>  fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
>  fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
>  fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
>  fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
>  
>  and the earlier reported FP's are still there:
>  
>  fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
>  fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
>  fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
>  fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
>  fp\omni.ja: Win.Trojan.Toa-5370166-0
>  fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
>  fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
>  
>  etc.
>  
>  IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing 
>  done
>  in full after holidays.
>  
> >>> I can only second that.
> >>> And add Win.Trojan.Toa-5368540-0 to the list of FPs.
> >>> 
> >>> At this rate the previous bit about "Clamscan becoming its own worst
> >>> enemy." can not be underestimated.
> >>> This is the 2nd, VERY visible FP avalanche in so many months and since it
> >>> affects a lot of people here including internal business mails.
> >>> Reflecting badly on all OSS projects and SW.
> >>> 
> >>> Christian
> >>> 
>  As the issues go on...
>  
>  https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
>  
>  https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0
> > 
> > 
> > -- 
> > Christian BalzerNetwork/Systems Engineer
> > ch...@gol.com   Global OnLine Japan/Rakuten Communications
> > http://www.gol.com/
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > 
> > 
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


-- 
Christian BalzerNetwork/Systems Engineer
ch...@gol.com   Global OnLine Japan/Rakuten Communications
http://www.gol.com/
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Joel Esler (jesler)

We QA against thousands of clean files for each signature.  But we don't have s 
copy of every foe in the world to QA against.  

When people send in false positives, if we determine them to be actually clean, 
we add them to the FP farm as well.  That's why FPs are important to send in, 
not just to clean current FPs, but to prevent future ones.   

--
Sent from my iPhone

> On Dec 26, 2016, at 9:27 PM, Christian Balzer  wrote:
> 
> 
> Hello Al,
> 
>> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote:
>> 
>> Although most, if not all the Win.Trojan.Toa old signatures were either 
>> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so 
>> that would appear to be a new issue.
>> 
> Be that as it may, I'd say this isn't a new issue as such but a
> continuation of what is clearly insufficient QA with these signatures.
> 
> I'd love to be more helpful, but since this are large mails I don't have a
> complete bounce (Exim suppresses those over 100KB) and I don't have easy
> access to any of the senders.
> But it's with near certainty some attachment in a MS file format that
> triggers these.
> 
> Regards,
> 
> Christian
> 
>> -Al-
>> 
>>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
>>> 
>>> Hello,
>>> 
 On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote:
 
 
> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> In keeping with the other false positive reports I have more than 400
> CentOS servers report below after yesterday's freshclam update:
 
 Yes, nashorn.jar seems to get hit too...
 
 eg:
 
 fp2\11476331d01: Win.Trojan.Toa-5372078-0
 fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
 fp2\3A627716d01: Win.Trojan.Toa-5372078-0
 fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
 fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
 fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
 fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
 
 and the earlier reported FP's are still there:
 
 fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
 fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
 fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
 fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
 fp\omni.ja: Win.Trojan.Toa-5370166-0
 fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
 fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
 
 etc.
 
 IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing 
 done
 in full after holidays.
 
>>> I can only second that.
>>> And add Win.Trojan.Toa-5368540-0 to the list of FPs.
>>> 
>>> At this rate the previous bit about "Clamscan becoming its own worst
>>> enemy." can not be underestimated.
>>> This is the 2nd, VERY visible FP avalanche in so many months and since it
>>> affects a lot of people here including internal business mails.
>>> Reflecting badly on all OSS projects and SW.
>>> 
>>> Christian
>>> 
 As the issues go on...
 
 https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
 
 https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0
> 
> 
> -- 
> Christian BalzerNetwork/Systems Engineer
> ch...@gol.com   Global OnLine Japan/Rakuten Communications
> http://www.gol.com/
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Christian Balzer


Hello Al,

On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote:

> Although most, if not all the Win.Trojan.Toa old signatures were either 
> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so 
> that would appear to be a new issue.
>
Be that as it may, I'd say this isn't a new issue as such but a
continuation of what is clearly insufficient QA with these signatures.

I'd love to be more helpful, but since this are large mails I don't have a
complete bounce (Exim suppresses those over 100KB) and I don't have easy
access to any of the senders.
But it's with near certainty some attachment in a MS file format that
triggers these.

Regards,

Christian

> -Al-
> 
> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
> > 
> > Hello,
> > 
> > On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote:
> > 
> >> 
> >> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> >>> In keeping with the other false positive reports I have more than 400
> >>> CentOS servers report below after yesterday's freshclam update:
> >> 
> >> Yes, nashorn.jar seems to get hit too...
> >> 
> >> eg:
> >> 
> >> fp2\11476331d01: Win.Trojan.Toa-5372078-0
> >> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
> >> fp2\3A627716d01: Win.Trojan.Toa-5372078-0
> >> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> >> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
> >> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
> >> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
> >> 
> >> and the earlier reported FP's are still there:
> >> 
> >> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
> >> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
> >> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
> >> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> >> fp\omni.ja: Win.Trojan.Toa-5370166-0
> >> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
> >> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
> >> 
> >> etc.
> >> 
> >> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing 
> >> done
> >> in full after holidays.
> >> 
> > I can only second that.
> > And add Win.Trojan.Toa-5368540-0 to the list of FPs.
> > 
> > At this rate the previous bit about "Clamscan becoming its own worst
> > enemy." can not be underestimated.
> > This is the 2nd, VERY visible FP avalanche in so many months and since it
> > affects a lot of people here including internal business mails.
> > Reflecting badly on all OSS projects and SW.
> > 
> > Christian
> > 
> >> As the issues go on...
> >> 
> >> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
> >> 
> >> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0


-- 
Christian BalzerNetwork/Systems Engineer
ch...@gol.com   Global OnLine Japan/Rakuten Communications
http://www.gol.com/
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Al Varnell

Although most, if not all the Win.Trojan.Toa old signatures were either dropped 
by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would 
appear to be a new issue.

-Al-

On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
> 
> Hello,
> 
> On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote:
> 
>> 
>> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
>>> In keeping with the other false positive reports I have more than 400
>>> CentOS servers report below after yesterday's freshclam update:
>> 
>> Yes, nashorn.jar seems to get hit too...
>> 
>> eg:
>> 
>> fp2\11476331d01: Win.Trojan.Toa-5372078-0
>> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
>> fp2\3A627716d01: Win.Trojan.Toa-5372078-0
>> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
>> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
>> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
>> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
>> 
>> and the earlier reported FP's are still there:
>> 
>> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
>> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
>> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
>> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
>> fp\omni.ja: Win.Trojan.Toa-5370166-0
>> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
>> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
>> 
>> etc.
>> 
>> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done
>> in full after holidays.
>> 
> I can only second that.
> And add Win.Trojan.Toa-5368540-0 to the list of FPs.
> 
> At this rate the previous bit about "Clamscan becoming its own worst
> enemy." can not be underestimated.
> This is the 2nd, VERY visible FP avalanche in so many months and since it
> affects a lot of people here including internal business mails.
> Reflecting badly on all OSS projects and SW.
> 
> Christian
> 
>> As the issues go on...
>> 
>> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
>> 
>> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Christian Balzer


Hello,

On Mon, 26 Dec 2016 19:21:25 - Steve Basford wrote:

> 
> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> > In keeping with the other false positive reports I have more than 400
> > CentOS servers report below after yesterday's freshclam update:
> 
> Yes, nashorn.jar seems to get hit too...
> 
> eg:
> 
> fp2\11476331d01: Win.Trojan.Toa-5372078-0
> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
> fp2\3A627716d01: Win.Trojan.Toa-5372078-0
> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
> 
> and the earlier reported FP's are still there:
> 
> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> fp\omni.ja: Win.Trojan.Toa-5370166-0
> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
> 
> etc.
> 
> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done
> in full after holidays.
> 
I can only second that.
And add Win.Trojan.Toa-5368540-0 to the list of FPs.

At this rate the previous bit about "Clamscan becoming its own worst
enemy." can not be underestimated.
This is the 2nd, VERY visible FP avalanche in so many months and since it
affects a lot of people here including internal business mails.
Reflecting badly on all OSS projects and SW.

Christian

> As the issues go on...
> 
> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
> 
> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0
> 


-- 
Christian BalzerNetwork/Systems Engineer
ch...@gol.com   Global OnLine Japan/Rakuten Communications
http://www.gol.com/
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Steve Basford


On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> In keeping with the other false positive reports I have more than 400
> CentOS servers report below after yesterday's freshclam update:

Yes, nashorn.jar seems to get hit too...

eg:

fp2\11476331d01: Win.Trojan.Toa-5372078-0
fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
fp2\3A627716d01: Win.Trojan.Toa-5372078-0
fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0

and the earlier reported FP's are still there:

fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
fp\omni.ja: Win.Trojan.Toa-5370166-0
fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0

etc.

IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done
in full after holidays.

As the issues go on...

https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061

https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Mark Edwards

In keeping with the other false positive reports I have more than 400
CentOS servers report below after yesterday's freshclam update:

/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.el7_2.x86_
64/jre/lib/ext/nashorn.jar: Win.Trojan.Toa-5370166-0.

Believe this is a false positive  Would like confirmation and an update
before tonight's run, if possible  Thanks.

-- 
*Mark Edwards  |  Cloud Operations Manager  |  TraceLink Inc.*
Amazon AWS Global Start-Up Challenge – Grand Prize Winner!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's.

2016-12-26 Thread Alain Zidouemba

We are seeing the FPs and are in the process of addressing them. Please
keep reporting them.

- Alain

On Mon, Dec 26, 2016 at 8:11 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote:
>
> Just run freshclam...
>
> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370164-0.UNOFFICIAL FOUND
> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0.UNOFFICIAL FOUND
> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> fp\omni.ja: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> fp\org-netbeans-modules-javascript-nodejs.jar:
> Win.Trojan.Toa-5370166-0.UNOFFICI
> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> fp\tbtestpi...@labs.mozilla.com.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL
> FOUND
> fp\tbtestpi...@labs.mozilla.com.xpi: Win.Trojan.Toa-5370261-0.UNOFFICIAL
> FOUND
> fp\turbo_download_manager-0.2.8-an+fx.xpi:
> Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
>
> In short these need removing too...
>
> Win.Trojan.Toa-5370164-0.UNOFFICIAL FOUND
> Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
> Win.Trojan.Toa-5370261-0.UNOFFICIAL FOUND
> Win.Trojan.Toa-5370297-0.UNOFFICIAL FOUND
>
> So in short... these new sig changes are making a huge mess...
>
> https://wordpress.org/support/topic/wordpress-4-7-virus/
> https://forums.linuxmint.com/viewtopic.php?t=236204
> http://stackoverflow.com/questions/41326419/cannot-
> upload-file-online-due-to-win-trojan-toa-5372190-0-found
> https://forums.cpanel.net/threads/can-not-upload-zip-
> files-virus-detected.588843/
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's.

2016-12-26 Thread Steve Basford


On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote:

Just run freshclam...

fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370164-0.UNOFFICIAL FOUND
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0.UNOFFICIAL FOUND
fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\omni.ja: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\org-netbeans-modules-javascript-nodejs.jar:
Win.Trojan.Toa-5370166-0.UNOFFICI
fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\tbtestpi...@labs.mozilla.com.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL
FOUND
fp\tbtestpi...@labs.mozilla.com.xpi: Win.Trojan.Toa-5370261-0.UNOFFICIAL
FOUND
fp\turbo_download_manager-0.2.8-an+fx.xpi:
Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND

In short these need removing too...

Win.Trojan.Toa-5370164-0.UNOFFICIAL FOUND
Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
Win.Trojan.Toa-5370261-0.UNOFFICIAL FOUND
Win.Trojan.Toa-5370297-0.UNOFFICIAL FOUND

So in short... these new sig changes are making a huge mess...

https://wordpress.org/support/topic/wordpress-4-7-virus/
https://forums.linuxmint.com/viewtopic.php?t=236204
http://stackoverflow.com/questions/41326419/cannot-upload-file-online-due-to-win-trojan-toa-5372190-0-found
https://forums.cpanel.net/threads/can-not-upload-zip-files-virus-detected.588843/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's.

2016-12-26 Thread Sierk Bornemann

$ sw_vers
ProductName:Mac OS X
ProductVersion: 10.12.2
BuildVersion:   16C67


$ cat /Users/$USER/Library/Logs/ClamXavSentry-scan.log | grep FOUND

/Applications/Firefox.app/Contents/Resources/omni.ja: Win.Trojan.Toa-5370166-0 
FOUND
/Applications/Firefox.app/Contents/Resources/browser/omni.ja: 
Win.Trojan.Toa-5370261-0 FOUND
/Applications/Firefox.app/Contents/Resources/omni.ja: Win.Trojan.Toa-5370166-0 
FOUND
/Applications/Firefox.app/Contents/Resources/browser/omni.ja: 
Win.Trojan.Toa-5370261-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/startupCache/startupCache.8.little:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/startupCache/startupCache.8.little:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/startupCache/startupCache.8.little:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Application 
Support/Firefox/Profiles/qvmrp8ae.default/extensions/ublo...@raymondhill.net.xpi:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/cache2/entries/0BBADECE8C7B469B3A6EE6C185C5E0D044A6E376:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/cache2/entries/0BBADECE8C7B469B3A6EE6C185C5E0D044A6E376:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/startupCache/startupCache.8.little:
 Win.Trojan.Toa-5370166-0 FOUND
/Users/$USER/Library/Caches/Firefox/Profiles/qvmrp8ae.default/startupCache/startupCache.8.little:
 Win.Trojan.Toa-5370166-0 FOUND

False Positives for:

Firefox.app…  /Resources/…
Firefox.app … /Caches/… startupCache.8.little
Firefox.app … /Caches/…0BBADECE8C7B469B3A6EE6C185C5E0D044A6E376
Firefox.app … /extensions/…ublo...@raymondhill.net.xpi

Possible cause: signature relating
Win.Trojan.Toa-5370166-0
Win.Trojan.Toa-5370261-0


Please fix!


Merry Christmas,
Sierk Bornemann


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

2016-12-26 Thread Al Varnell

Four have already been dropped and I’m sure there will be more to come.

It will go faster if you submit samples to  
and post a hash back here of the file(s) you uploaded.

-Al-

On Mon, Dec 26, 2016 at 02:43 AM, Frank Sfalanga Jr. wrote:
> 
> This includes .jar zips.  I am seeing this across dozens of GNU/Linux
> servers. Other than --exclude=*.jar what else can be done to fix these
> fp's?
> 
> ===
> 
> /home/ddale/.gradle/wrapper/dists/gradle-1.10-
> bin/6oa4rff9viiqskhgd6uns5v1f8/gradle-1.10/lib/plugins/gradle-plugins-
> 1.10.jar: Win.Trojan.Toa-5367477-0 FOUND
> /home/frank/.gradle/wrapper/dists/gradle-1.10-
> bin/6oa4rff9viiqskhgd6uns5v1f8/gradle-1.10/lib/plugins/gradle-plugins-
> 1.10.jar: Win.Trojan.Toa-5367477-0 FOUND
> 
> ===
> 
> Any chance this will be fixed? Between the fp's for --detect-
> structured=yes and these fp's for trojans Clamscan is becoming, IMHO,
> its own worst enemy.
> 
> 
> Frank Sfalanga Jr.


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] More fp's. Now its almost everything that has been zipped.

2016-12-26 Thread Frank Sfalanga Jr .

This includes .jar zips.  I am seeing this across dozens of GNU/Linux
servers. Other than --exclude=*.jar what else can be done to fix these
fp's?

===

/home/ddale/.gradle/wrapper/dists/gradle-1.10-
bin/6oa4rff9viiqskhgd6uns5v1f8/gradle-1.10/lib/plugins/gradle-plugins-
1.10.jar: Win.Trojan.Toa-5367477-0 FOUND
/home/frank/.gradle/wrapper/dists/gradle-1.10-
bin/6oa4rff9viiqskhgd6uns5v1f8/gradle-1.10/lib/plugins/gradle-plugins-
1.10.jar: Win.Trojan.Toa-5367477-0 FOUND

===

Any chance this will be fixed? Between the fp's for --detect-
structured=yes and these fp's for trojans Clamscan is becoming, IMHO,
its own worst enemy.


Frank Sfalanga Jr. | Director of Information Technology
Ph. 239-221-3309 | fr...@csiglobalvcard.com
CSI Enterprises, Inc. | www.csiglobalvcard.com
Enjoy our latest video and check out our YouTube channel for more-
If your accounting office still looks like this, it’s time to modernize your 
payables!

This message and any attachments are confidential and intended solely for the 
use of the intended recipient(s) and may contain information that is 
privileged, confidential or proprietary of CSI Enterprises, Inc. If you are not 
an intended recipient, please notify the sender, and then please delete and 
destroy all copies and attachments, and be advised that any review or 
dissemination of, or the taking of any action in reliance on, the information 
contained in or attached to this message is prohibited.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Usage questions on local.ign2

[clamav-users] Usage questions on local.ign2

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

[clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Re: [clamav-users] More fp's.

Re: [clamav-users] More fp's.

Re: [clamav-users] More fp's.

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

[clamav-users] More fp's. Now its almost everything that has been zipped.

16 matches

Site Navigation

Mail list logo

Footer information