[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [clamav-users] All midi files reported as positives
From: Anne Wilson <cannewilson () googlemail ! com>
Date: 2012-01-18 18:58:37
Message-ID: 4F17165D.7080701 () googlemail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 17/01/12 09:52, Török Edwin wrote:
> On 01/17/2012 11:00 AM, Anne Wilson wrote:
>> On 16/01/12 13:55, Török Edwin wrote:
>>> On 01/16/2012 03:53 PM, Anne Wilson wrote:
>>>> I run clamav on my mail server, and my daughter runs clamwin on
>>>> Windows 7, on my recommendation. This morning's scan showed midi
>>>> files that have been on my server for 2 years or more as being
>>>> infected, e.g.:
>>>>
>>>> /Data1/Midi/AudigyCD/SYMPHONY.MID: BC.Exploit.CVE_2012_0003 FOUND
>>>>
>>>> Soon after reading this, I got a phone call from my daughter saying
>>>> that clamwin had quarantined all midi files supplied in the
>>>> Creative Soundblaster X-Fi installation. The screenshot she sent
>>>> me shows nothing but the midi files.
>>>
>>> Please submit some of those false positives here (make sure you
>>> choose the 'A false positive' radiobox):
>>> http://cgi.clamav.net/sendvirus.cgi
>>>
>> Thanks. I've done that. I was careful to mark it as "a false positive"
>> but got the message "This virus is already recognized by ClamAV
>> 0.97.3/14314/Mon Jan 16 " - I assume that I can ignore that?
>>
>> I'll submit one from her Windows box as soon as she emails it to me.
>>
>>>>
>>>> I have told her not to worry for now, but is there a way to mark
>>>> these as not infected and remove them from quarantine?
>>>>
>>>
>>> Create a file called local.ign2 in your database directory and add
>>> this line to it: BC.Exploit.CVE_2012_0003
>>>
>> Done that too. Thanks for the prompt reply. I'm not very familiar with
>> Windows' organisation of this sort of thing, so can you suggest where I
>> should tell her to put the ignore file? Should she just search for
>> daily.cld to find the directory, or is it labelled some other way in
>> Windows?
>
> daily.cld or daily.cvd. Not sure where ClamWin puts its database directory,
> perhaps in Application Data.
>
> The offending bytecode was dropped in the meantime, so the false
> positive detections should've stopped
> for now.
>
Thanks. She tells me that she didn't get the false positives in today's
scan.
Anne
--
Need KDE help? Try
http://userbase.kde.org or
Http://forum.kde.org
["signature.asc" (application/pgp-signature)]
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic