Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-06-03 Thread Al Varnell 
Attachments are not allowed here. Be sure you submit it to the False Positive 
Report site and post the hash value back here.


Sent from Janet's iPad

-Al-

On Feb 23, 2016, at 5:55 AM, Tsutomu Oyamada wrote:
> There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd".
> (see attached file)
> To resolve this false positive when it does?
> 
> On Wed, 17 Feb 2016 20:16:02 -0800 Dennis Peterson wrote:
>> My experience with these kind of failures is that the pattern is not 
>> properly anchored or the writer doesn't understand greedy grep patterns or 
>> both. Fallout from the new pcregrep, perhaps? I've not analyzed it so am 
>> speculating here, but lessons learned after decades of doing this is of 
>> regex results amaze you then you have probably screwed up somewhere when 
>> writing the pattern. Or as one of my staff liked to say, something we're 
>> sure of is wrong.
>> 
>> dp
>> 
>> On 2/16/16 7:02 PM, Al Varnell wrote:
>>> Resubmited.
>>> 
>>> 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub
>>> 
>>> -Al-
>>> 
>>> On Feb 14, 2016, at 4:34 PM, Al Varnell wrote:
 I attempted to submit the sample I have to 
 http://www.clamav.net/reports/fp and it was similarly rejected as "empty." 
  Scanned the file on my computer after updating definitions still shows it 
 as infected.  Uploading it to VirusTotal results in only a ClamAV 
 detection:
 .
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-06-03 Thread Tsutomu Oyamada 
There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd".
(see attached file)
To resolve this false positive when it does?


On Wed, 17 Feb 2016 20:16:02 -0800
Dennis Peterson  wrote:

> My experience with these kind of failures is that the pattern is not properly 
> anchored or the writer doesn't understand greedy grep patterns or both. 
> Fallout from the new pcregrep, perhaps? I've not analyzed it so am 
> speculating here, but lessons learned after decades of doing this is of regex 
> results amaze you then you have probably screwed up somewhere when writing 
> the pattern. Or as one of my staff liked to say, something we're sure of is 
> wrong.
> 
> dp
> 
> On 2/16/16 7:02 PM, Al Varnell wrote:
> > Resubmited.
> >
> > 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub
> >
> > -Al-
> >
> > On Feb 14, 2016, at 4:34 PM, Al Varnell  wrote:
> >
> >> I attempted to submit the sample I have to 
> >> http://www.clamav.net/reports/fp and it was similarly rejected as "empty." 
> >>  Scanned the file on my computer after updating definitions still shows it 
> >> as infected.  Uploading it to VirusTotal results in only a ClamAV 
> >> detection:
> >> .
> >>
> >>
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-17 Thread Dennis Peterson 
My experience with these kind of failures is that the pattern is not properly 
anchored or the writer doesn't understand greedy grep patterns or both. Fallout 
from the new pcregrep, perhaps? I've not analyzed it so am speculating here, but 
lessons learned after decades of doing this is of regex results amaze you then 
you have probably screwed up somewhere when writing the pattern. Or as one of my 
staff liked to say, something we're sure of is wrong.


dp

On 2/16/16 7:02 PM, Al Varnell wrote:

Resubmited.

87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub

-Al-

On Feb 14, 2016, at 4:34 PM, Al Varnell  wrote:


I attempted to submit the sample I have to http://www.clamav.net/reports/fp and it was 
similarly rejected as "empty."  Scanned the file on my computer after updating 
definitions still shows it as infected.  Uploading it to VirusTotal results in only a 
ClamAV detection:
.


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-16 Thread Al Varnell 
Resubmited.

87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub

-Al-

On Feb 14, 2016, at 4:34 PM, Al Varnell  wrote:

> I attempted to submit the sample I have to http://www.clamav.net/reports/fp 
> and it was similarly rejected as "empty."  Scanned the file on my computer 
> after updating definitions still shows it as infected.  Uploading it to 
> VirusTotal results in only a ClamAV detection:
> .


smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-14 Thread Al Varnell 
I attempted to submit the sample I have to http://www.clamav.net/reports/fp and 
it was similarly rejected as "empty."  Scanned the file on my computer after 
updating definitions still shows it as infected.  Uploading it to VirusTotal 
results in only a ClamAV detection:
.

Regardless of whether the signature is right or wrong, the ClamAV False 
Positive submission system is broken and needs to be fixed.
The file I submitted was pg3726-images.epub downloaded from
 
with MD5=6a2c8a5085e7fbea72643d78962c6897 just in case it actually made it to 
the database.

-Al-

On Sun, Feb 14, 2016 at 03:14 PM, nerslbm...@yahoo.com wrote:
> 
> I understand it can be whitelisted, but I posted to the list in hope that the 
> person who introduced the problem to the file daily.cd on 2/12/2016 will read 
> the thread and roll back the changes.
> 
> Thanks!
> 
> 
>On Sunday, February 14, 2016 11:48 AM, Steve basford 
>  wrote:
> 
> 
> Hi,
> 
> Here's the entry for
> Zip.Suspect.MacroDoubleExtension-zippwd
> 
> (?i)((\.doc)|([ 
> _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
>  
> _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
> 
> Which is covering a lot of combinations in one sig... personally I split 
> foxhole ones into smaller subsections...
> 
> Use --debug and grep for cdbname in the output.
> 
> You can whitelist sig name using a .ign2 database.
> 
> Cheers,
> 
> Steve
> Web: sanesecurity.com
> Blog: sanesecurity.blogspot.com
> 
> 
> 
> On 14 February 2016 19:00:12  wrote:
> 
>> Hi,false positives started coming after update to (daily.cvd version: 
>> 21360)my submissions for false-positive reports on clamav.net keep 
>> reporting "The sample is empty."
>> 
>> How to reproduce:
>> mkdir /tmp/test_dir
>> touch /tmp/test_dir/txt_csv.jar.0
>> jar cf test_dir.jar /tmp/test_dir
>> # or
>> zip -r test_dir.zip /tmp/test_dir
>> 
>> # then scan the file
>> clamscan test_dir.jar test_dir.zip
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-14 Thread nerslbmail 
I understand it can be whitelisted, but I posted to the list in hope that the 
person who introduced the problem to the file daily.cd on 2/12/2016 will read 
the thread and roll back the changes.

Thanks!
 

On Sunday, February 14, 2016 11:48 AM, Steve basford 
 wrote:
 

 Hi,

Here's the entry for
 Zip.Suspect.MacroDoubleExtension-zippwd

(?i)((\.doc)|([ 
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
 
_.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*

Which is covering a lot of combinations in one sig... personally I split 
foxhole ones into smaller subsections...

Use --debug and grep for cdbname in the output.

You can whitelist sig name using a .ign2 database.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com



On 14 February 2016 19:00:12  wrote:

> Hi,false positives started coming after update to (daily.cvd version: 
> 21360)my submissions for false-positive reports on clamav.net keep 
> reporting "The sample is empty."
>
> How to reproduce:
> mkdir /tmp/test_dir
> touch /tmp/test_dir/txt_csv.jar.0
> jar cf test_dir.jar /tmp/test_dir
> # or
> zip -r test_dir.zip /tmp/test_dir
>
> # then scan the file
> clamscan test_dir.jar test_dir.zip
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


   
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-14 Thread Al Varnell 
I’ve had one ClamXav user complain on Friday that all the .epub and kindle 
downloads from http://www.gutenberg.org/ebooks/3726 were infected.  When 
decompressed it reveals several files with ".txt.html" extensions.

We seen problems with such all encompassing signatures in the past so I suspect 
this one needs to be trimmed a bit.

-Al-

On Sun, Feb 14, 2016 at 11:47 AM, Steve basford wrote:
> 
> Hi,
> 
> Here's the entry for
> Zip.Suspect.MacroDoubleExtension-zippwd
> 
> (?i)((\.doc)|([ 
> _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
>  
> _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*
> 
> Which is covering a lot of combinations in one sig... personally I split 
> foxhole ones into smaller subsections...
> 
> Use --debug and grep for cdbname in the output.
> 
> You can whitelist sig name using a .ign2 database.
> 
> Cheers,
> 
> Steve
> Web: sanesecurity.com
> Blog: sanesecurity.blogspot.com
> 
> 
> 
> On 14 February 2016 19:00:12  wrote:
> 
>> Hi,false positives started coming after update to (daily.cvd version: 
>> 21360)my submissions for false-positive reports on clamav.net keep reporting 
>> "The sample is empty."
>> 
>> How to reproduce:
>> mkdir /tmp/test_dir
>> touch /tmp/test_dir/txt_csv.jar.0
>> jar cf test_dir.jar /tmp/test_dir
>> # or
>> zip -r test_dir.zip /tmp/test_dir
>> 
>> # then scan the file
>> clamscan test_dir.jar test_dir.zip
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-14 Thread Steve basford 

Hi,

Here's the entry for
Zip.Suspect.MacroDoubleExtension-zippwd

(?i)((\.doc)|([ 
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ 
_.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*


Which is covering a lot of combinations in one sig... personally I split 
foxhole ones into smaller subsections...


Use --debug and grep for cdbname in the output.

You can whitelist sig name using a .ign2 database.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com



On 14 February 2016 19:00:12  wrote:

Hi,false positives started coming after update to (daily.cvd version: 
21360)my submissions for false-positive reports on clamav.net keep 
reporting "The sample is empty."


How to reproduce:
mkdir /tmp/test_dir
touch /tmp/test_dir/txt_csv.jar.0
jar cf test_dir.jar /tmp/test_dir
# or
zip -r test_dir.zip /tmp/test_dir

# then scan the file
clamscan test_dir.jar test_dir.zip
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-02-14 Thread nerslbmail 
Hi,false positives started coming after update to (daily.cvd version: 21360)my 
submissions for false-positive reports on clamav.net keep reporting "The sample 
is empty."

How to reproduce:
mkdir /tmp/test_dir
touch /tmp/test_dir/txt_csv.jar.0
jar cf test_dir.jar /tmp/test_dir
# or
zip -r test_dir.zip /tmp/test_dir

# then scan the file 
clamscan test_dir.jar test_dir.zip 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml