Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Attachments are not allowed here. Be sure you submit it to the False Positive Report site and post the hash value back here. Sent from Janet's iPad -Al- On Feb 23, 2016, at 5:55 AM, Tsutomu Oyamada wrote: > There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd". > (see attached fi

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd". (see attached file) To resolve this false positive when it does? On Wed, 17 Feb 2016 20:16:02 -0800 Dennis Peterson wrote: > My experience with these kind of failures is that the pattern is not properly > anchored or the writ

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

My experience with these kind of failures is that the pattern is not properly anchored or the writer doesn't understand greedy grep patterns or both. Fallout from the new pcregrep, perhaps? I've not analyzed it so am speculating here, but lessons learned after decades of doing this is of regex r

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Resubmited. 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub -Al- On Feb 14, 2016, at 4:34 PM, Al Varnell wrote: > I attempted to submit the sample I have to http://www.clamav.net/reports/fp > and it was similarly rejected as "empty." Scanned the fil

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

I attempted to submit the sample I have to http://www.clamav.net/reports/fp and it was similarly rejected as "empty." Scanned the file on my computer after updating definitions still shows it as infected. Uploading it to VirusTotal results in only a ClamAV detection:

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

I understand it can be whitelisted, but I posted to the list in hope that the person who introduced the problem to the file daily.cd on 2/12/2016 will read the thread and roll back the changes. Thanks! On Sunday, February 14, 2016 11:48 AM, Steve basford wrote: Hi, Here's the entry

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

I’ve had one ClamXav user complain on Friday that all the .epub and kindle downloads from http://www.gutenberg.org/ebooks/3726 were infected. When decompressed it reveals several files with ".txt.html" extensions. We seen problems with such all encompassing signatures in the past so I suspect

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Hi, Here's the entry for Zip.Suspect.MacroDoubleExtension-zippwd (?i)((\.doc)|([ _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ _.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js

[clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Hi,false positives started coming after update to (daily.cvd version: 21360)my submissions for false-positive reports on clamav.net keep reporting "The sample is empty." How to reproduce: mkdir /tmp/test_dir touch /tmp/test_dir/txt_csv.jar.0 jar cf test_dir.jar /tmp/test_dir # or zip -r test_dir