'Re: [clamav-users] All midi files reported as positives'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] All midi files reported as positives
From:       Anne Wilson <cannewilson () googlemail ! com>
Date:       2012-01-18 18:58:37
Message-ID: 4F17165D.7080701 () googlemail ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On 17/01/12 09:52, Török Edwin wrote:
> On 01/17/2012 11:00 AM, Anne Wilson wrote:
>> On 16/01/12 13:55, Török Edwin wrote:
>>> On 01/16/2012 03:53 PM, Anne Wilson wrote:
>>>> I run clamav on my mail server, and my daughter runs clamwin on
>>>> Windows 7, on my recommendation.  This morning's scan showed midi
>>>> files that have been on my server for 2 years or more as being
>>>> infected, e.g.:
>>>>
>>>> /Data1/Midi/AudigyCD/SYMPHONY.MID: BC.Exploit.CVE_2012_0003 FOUND
>>>>
>>>> Soon after reading this, I got a phone call from my daughter saying
>>>> that clamwin had quarantined all midi files supplied in the
>>>> Creative Soundblaster X-Fi installation.  The screenshot she sent
>>>> me shows nothing but the midi files.
>>>
>>> Please submit some of those false positives here (make sure you
>>> choose the 'A false positive' radiobox):
>>> http://cgi.clamav.net/sendvirus.cgi
>>>
>> Thanks.  I've done that.  I was careful to mark it as "a false positive"
>> but got the message "This virus is already recognized by ClamAV
>> 0.97.3/14314/Mon Jan 16 " - I assume that I can ignore that?
>>
>> I'll submit one from her Windows box as soon as she emails it to me.
>>
>>>>
>>>> I have told her not to worry for now, but is there a way to mark
>>>> these as not infected and remove them from quarantine?
>>>>
>>>
>>> Create a file called local.ign2 in your database directory and add
>>> this line to it: BC.Exploit.CVE_2012_0003
>>>
>> Done that too.  Thanks for the prompt reply.  I'm not very familiar with
>> Windows' organisation of this sort of thing, so can you suggest where I
>> should tell her to put the ignore file?  Should she just search for
>> daily.cld to find the directory, or is it labelled some other way in
>> Windows?
> 
> daily.cld or daily.cvd. Not sure where ClamWin puts its database directory,
> perhaps in Application Data.
> 
> The offending bytecode was dropped in the meantime, so the false
> positive detections should've stopped
> for now.
> 
Thanks.  She tells me that she didn't get the false positives in today's
scan.

Anne
-- 
Need KDE help?  Try
http://userbase.kde.org or
Http://forum.kde.org


["signature.asc" (application/pgp-signature)]

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic