Okay,

Have you filed a false positive with us through ClamAV.net<http://ClamAV.net>?

--
Joel Esler
iPhone

On Jul 24, 2016, at 10:15 AM, c chupela <***@yahoo.com<mailto:***@yahoo.com>> wrote:

My Clamav installation, engine version .99, signature daily.cld updated (version: 21959, sigs: 454048, f-level: 63, builder: neo)bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

flagging /usr/share/doc/libxml2-python-2.7.6/reader2.py: Xml.Exploit.CVE_2013_3860-1

I see some discussion online that alludes to this being a false positive, is this the case?
Thanks
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

There was a previous Xml.Exploit.CVE_2013_3860-1 signature added by daily: 20352 on Apr 20, 2015 which was found to be producing FP’s and was removed by daily: 20358.

The current Xml.Exploit.CVE_2013_3860-1 was re-introduced by daily - 21939 on Jul 20, 2016 and I know of one ClamXav user reporting what he believes to be an FP, but waiting on details. Not sure whether the two signatures are the same or not.

-Al-

Xml.Exploit.CVE_2013_3860-1 has been dropped.

Thanks,

- Alain
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#

I checked few minutes ago but it is still present also with the new definitions updated!

--- cut here ---
# freshclam
ClamAV update process started at Tue Jul 26 09:42:49 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)

Downloading daily-21972.cdiff [100%]
daily.cld updated (version: 21972, sigs: 454200, f-level: 63, builder: neo)

bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)
Database updated (4673043 signatures) from db.it.clamav.net (IP: 90.147.160.69)
....

# clamscan /usr/share/doc/libxml2-python-2.7.6/reader2.py
/usr/share/doc/libxml2-python-2.7.6/reader2.py: Xml.Exploit.CVE_2013_3860-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4667645
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 14.303 sec (0 m 14 s)
[***@prdfeec01 clamav]#
--- cut here ---

Vahid

-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Alain Zidouemba
Sent: lunedì 25 luglio 2016 17:13
To: ClamAV users ML
Subject: Re: [clamav-users] CVE_2013_3860-1

Xml.Exploit.CVE_2013_3860-1 has been dropped.

Thanks,

- Alain
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.h

There seems to be some problem with the system that drops signatures over the last three days. daily - 21954 thru 21971 appeared to be identical attempts to ignore 33 signatures and 21972 was the first to also include any new signatures.

The ClamAV Virus Database Search site confirms what you found:
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Xml.Exploit.CVE_2013_3860-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

-Al-

But I'm already running 21972 and the exploit FP is still present!
--- cut here ---
sigtool -i /var/lib/clamav/daily.cld
File: /var/lib/clamav/daily.cld
Build time: 26 Jul 2016 02:57 -0400
Version: 21972
Signatures: 454200
Functionality level: 63
Builder: neo
Verification OK.
--- cut here ---

Vahid

-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
Sent: martedì 26 luglio 2016 10:22
To: ClamAV users ML
Subject: Re: [clamav-users] CVE_2013_3860-1

There seems to be some problem with the system that drops signatures over the last three days. daily - 21954 thru 21971 appeared to be identical attempts to ignore 33 signatures and 21972 was the first to also include any new signatures.

The ClamAV Virus Database Search site confirms what you found:
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Xml.Exploit.CVE_2013_3860-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

-Al-
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.

I know, that’s what I said. It has not been dropped.

-Al-

Appears to be finally gone at this time.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Xml.Exploit.CVE_2013_3860-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

-Al=

It may take more than one publish cycle to drop a sig. Publish cycles are at least every four hours.

--
Joel Esler
iPhone

On Jul 26, 2016, at 10:16 PM, Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:

Appears to be finally gone at this time.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Xml.Exploit.CVE_2013_3860-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

-Al=


On Tue, Jul 26, 2016 at 01:46 AM, Al Varnell wrote:

I know, that's what I said. It has not been dropped.

-Al-

On Tue, Jul 26, 2016 at 01:32 AM, Junuzovic Vahid wrote:

But I'm already running 21972 and the exploit FP is still present!
--- cut here ---
sigtool -i /var/lib/clamav/daily.cld
File: /var/lib/clamav/daily.cld
Build time: 26 Jul 2016 02:57 -0400
Version: 21972
Signatures: 454200
Functionality level: 63
Builder: neo
Verification OK.
--- cut here ---

Vahid
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I hate having to point this out, but...

When Alain notified the list that the signature had been dropped on July 25, 2016 at 8:12:21 AM PDT, daily:21968 had just be published.
<snip>
When I checked before this update the signature was still present on the ClamAV Virus Signature Search site. When I checked shortly after this update it was gone. So that would seem to make it a total of seven update cycles before it was actually dropped.
But that question was asked in a different thread by a different user.

-Al-

Yup. Understood. *may* bring the key word in my email.

I'll ping Alain tomorrow if he can light the subject.

--
Joel Esler
iPhone

On Jul 26, 2016, at 11:14 PM, Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:

I hate having to point this out, but...

When Alain notified the list that the signature had been dropped on July 25, 2016 at 8:12:21 AM PDT, daily:21968 had just be published.

It wasn't until daily:21975 that the following appeared with the first dropped entry:
ClamAV Signature Publishing Notice

Datefile: daily
Version: 21975
Publisher: Alain Zidouemba
New Sigs: 119
Dropped Sigs: 1
Ignored Sigs: 33
<snip>
Dropped Detection Signatures:


* Xml.Exploit.CVE_2013_3860-1

When I checked before this update the signature was still present on the ClamAV Virus Signature Search site. When I checked shortly after this update it was gone. So that would seem to make it a total of seven update cycles before it was actually dropped.

And that still doesn't explain why three days went by between daily:21954 and daily:21971 (eighteen cycles) with identical updates of:
ClamAV Signature Publishing Notice

Datefile: daily
Version: 21971
Publisher: Alain Zidouemba
New Sigs: 0
Dropped Sigs: 0
Ignored Sigs: 33


New Detection Signatures:



Dropped Detection Signatures:


But that question was asked in a different thread by a different user.

-Al-

On Tue, Jul 26, 2016 at 07:27 PM, Joel Esler (jesler) wrote:

It may take more than one publish cycle to drop a sig. Publish cycles are at least every four hours.

--
Joel Esler
iPhone

On Jul 26, 2016, at 10:16 PM, Al Varnell <***@mac.com<mailto:***@mac.com><mailto:***@mac.com>> wrote:

Appears to be finally gone at this time.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Xml.Exploit.CVE_2013_3860-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

-Al-
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml