2

From time to time, I perform a scan with clamscan. I'm on Archlinux. Clamscan database is updated before each scan.

Today clasmscan reported 19 infected files:

./.cache/mozilla/firefox/qyq0onej.default/cache2/entries/3BCF117A4E950F91D6EB45E1DEDD93D42A0F4084: Sanesecurity.Malware.20387.WebHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/6vjpuub7.default/OfflineCache/D/3/714AAA0A2A5929-0: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/6vjpuub7.default/OfflineCache/3/F/14B2B08E604FDC-0: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/6vjpuub7.default/OfflineCache/C/3/725565E485B3A3-0: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/6vjpuub7.default/cache2/entries/E760C5B03F1F86762A3BA2E7263CE8952C042185: PhishTank.Phishing.4401799.UNOFFICIAL FOUND ./.cache/mozilla/firefox/6vjpuub7.default/cache2/entries/047AD2F458E28F8B0EDD2895F5AC550333CEF02D: PhishTank.Phishing.4401799.UNOFFICIAL FOUND ./.cache/mozilla/firefox/2vye4yjm.test/OfflineCache/D/3/714AAA0A2A5929-1: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/2vye4yjm.test/OfflineCache/3/F/14B2B08E604FDC-1: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/2vye4yjm.test/OfflineCache/C/3/725565E485B3A3-1: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/2vye4yjm.test/cache2/entries/E760C5B03F1F86762A3BA2E7263CE8952C042185: PhishTank.Phishing.4401799.UNOFFICIAL FOUND ./.cache/mozilla/firefox/2vye4yjm.test/cache2/entries/75C1F044F894D98DA12F8CA2CFEB25A27917E6A2: Sanesecurity.Malware.26345.JsHeur.UNOFFICIAL FOUND ./.cache/mozilla/firefox/2vye4yjm.test/cache2/entries/7AA49C7707663F1786152490B004C44E7CAAABC4: PhishTank.Phishing.4401799.UNOFFICIAL FOUND ./.mozilla/firefox/6vjpuub7.default/extensions/uBlock0@raymondhill.net.xpi: PhishTank.Phishing.4401799.UNOFFICIAL FOUND ./.mozilla/firefox/2vye4yjm.test/extensions/uBlock0@raymondhill.net.xpi: PhishTank.Phishing.4401799.UNOFFICIAL FOUND ./.config/Franz/Partitions/whatsapp_9a7f0132-4d66-7676-1018-a78cd6887824/Cache/f_000045: Html.Exploit.CVE_2017_8738-6336184-2 FOUND ./.config/Dagom'App/app.zip: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND ./.wine/drive_c/windows/syswow64/gecko/2.47/wine_gecko/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND ./.wine/drive_c/windows/system32/gecko/2.47/wine_gecko/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND ./.local/share/virtualenvs/cad/lib/python3.6/site-packages/PyQt5/Qt/resources/qtwebengine_devtools_resources.pak: Sanesecurity.Malware.26345.JsHeur.UNOFFICIAL FOUND

Some infected files seem to be in firefox's cache (ex: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL).

One seems to be related to Franz (a client for several messaging services): Html.Exploit.CVE_2017_8738-6336184-2. This one seems to be an official found.

./.config/Dagom'App/app.zip: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND

This one seems to be a false positive.

./.wine/drive_c/windows/syswow64/gecko/2.47/wine_gecko/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND

I don't know what to think about this one.

./.local/share/virtualenvs/cad/lib/python3.6/site-packages/PyQt5/Qt/resources/qtwebengine_devtools_resources.pak: Sanesecurity.Malware.26345.JsHeur.UNOFFICIAL FOUND

And this one seems to be a false positive as well. I installed PyQt with pip, for python development.

I haven't much experience with clamscan, or malware. Could you explain to me how I should consider this information?

When the match is unofficial, how relevant is the information? Are these files all malware? If one or several of them are, what should I do with them?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rififi
  • 125
  • 1
  • 4
  • 1) what "unofficial" means can be found with a search query, 2)you, yourself have determined that at least one of the findings is a false positive, so they cannot all be malware – schroeder Sep 23 '17 at 19:27
  • http://sanesecurity.com/support/false-positives/ explains most of it. 3) Each finding tells you what was found (`Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL`) you just have to look up what that finding means in their database – schroeder Sep 23 '17 at 19:29

1 Answers1

3

When the match is unofficial, how relevant is the information ?

To cite from Sanesecurity: False Positives:

UNOFFICIAL means that the signature is not an Official ClamAV signature and therefore you need to contact one of the following people when you have a problem:...

 

Are these files all malware?

About Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND and similar you can read at Sanesecurity: Foxhole databases that these are very generic signatures with a high false positive rate, i.e. it will mainly block JS files contained inside ZIP files which is a very common attack vector when transported with mail.

Also the *JsHeur* sound very much like heuristics instead of definite pattern and thus you should expect a high false positive rate too.

Generally any antivirus product tries to find a balance between false positives and false negatives. To catch new variations of malware often heuristics like Javascript inside ZIP or vague defined pattern are used. But these also have a higher chance of matching against innocent data, i.e. a false positive. On the other hand relying only on signatures which match well known malware but nothing else will cause lots of false negatives, i.e. malware not catched.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424