1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
Several packages in the Ubuntu archive produce false positives when they
are scanned with a virus scanner such as ClamAV.
This file documents the known false positives, along with a short
explanation.
To get this list updated, send an email to security@ubuntu.com with your
scan results.
The following online services can be used to attempt to verify whether
something is a false positive:
https://www.virustotal.com/
https://virusscan.jotti.org/
Package listing follows:
pymilter and pymilter-milters:
------------------------------
These are email filtering tools, and they contain several deactivated
example viruses used for internal diagnostic testing:
test/honey: Exploit.IFrame.Gen
test/virus1: VBS.LoveLetter.A
test/virus13: Exploit.IFrame.Gen
test/virus4: Exploit.IFrame.Gen or W32.Nimda.enc
test/virus5: Exploit.IFrame.Gen or W32.Aliz.Worm
test/zip1: Suspect.DoubleExtension-zippwd-12
test/ziploop: Suspect.DoubleExtension-zippwd-12
nepenthes:
----------
This is a honeypot tool, and contains a log of an attempted attack:
doc/README.VFS: Trojan.Downloader.Bat
polygen:
--------
This is a text processing tool, and contains comedic examples of bad
command lines. For example, an easter egg that harmlessly claims to send
/etc/password offsite.
grm/eng/debian/compileline.grm: Unix.Penguin
mailscanner:
------------
This is an email scanning tool, and contains the well-known EICAR test
signature.
lib/MailScanner/MessageBatch.pm: Eicar-Test-Signature-1
nautilus-clamscan:
------------------
This is a ClamAV plugin for Nautilus, and contains some ClamAV-specific
test files.
test_files/clam.exe: ClamAV-Test-File
test_files/clam.cab: ClamAV-Test-File
test_files/clam.zip: ClamAV-Test-File
test_files/clam.exe.bz2: ClamAV-Test-File
libmail-deliverystatus-bounceparser-perl:
-----------------------------------------
This is an email tool to analyze bounced emails. It contains a test suite
that has some sample problematic email in it. One of the emails contains
an actual base64 encoded virus which is used by the test suite during
build. The virus sample is not in the binary packages once built.
For more information, see LP: #1210202.
t/corpus/virus-caused-multiple-weird-reports.msg: Worm.Mytob.LC
sha1sum: 6651598618bcc4e24efb0c6aea8b52c1bfa8bcf2
libmail-deliverystatus-bounceparser-perl_1.534.orig.tar.gz: Worm.Mytob.OY
sha1sum: d31fc44a701c01fc0849e48436d7a5b81c7e00cf
libmail-deliverystatus-bounceparser-perl_1.542.orig.tar.gz: Worm.Mytob.OY
eclipse-emf:
------------
Certain older versions of the ClamAV database detected a false positive
in this package. Newer versions of the ClamAV database, and Symantec do not
detect an issue with this package.
See LP: #1210249 for more details.
mydms:
------
Certain older versions of the ClamAV database detected a false positive
in this package. Newer versions of the ClamAV database don't seem to any
longer.
sanitizer:
----------
This package contains an email virus scanner. The test suite contains
several deactivated example viruses used for internal diagnostic testing.
testcases/results.def/sanitizer.rev1_75.ok: Exploit.WMF.Gen-1
testcases/sanitizer.rev1_75.t: Exploit.WMF.Gen-1
sqlmap:
-------
This is a security auditing tool that enables administrators to attempt SQL
injection attacks in web applications. It contains two web scripts that
allow obtaining a shell if the SQL injection was successful.
shell/backdoor.php: PHP.Shell-32
shell/backdoor.jsp: PHP.Shell-31
openjdk-6:
----------
ClamAV is incorrectly detecting a virus in certain binary builds of
openjdk-6. None of the files are detected as viruses when the archive is
extracted, and online scanners don't detect the archive as problematic.
See LP: #1224723
sha256sum:
965d64366b0a38c8faa392415239c2d509ed43b0cccec75493df15c135ba4a3e rt.jar
usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar: Java.Exploit.CVE_2013_2465
sup-mail:
---------
This is a console-based email client. It contains a test suite
that has some sample problematic email in it to ensure they are properly
handled. One of the files is detected as an email exploit by clamav:
test/test_message.rb: Exploit.HTML.IFrame-8 FOUND
origami-pdf:
------------
This is a scripting tool for generating and analyzing malicious PDF files.
It contains examples for generating malicious files in the samples/exploits
directory.
dbacl:
------
This is a tool for analyzing and classifying text files. It contains some
sample spam.
sha1sum: d7ae904b2ca991b919f67fe3fc28df84278476fa
dbacl_1.12.orig.tar.gz: Trojan.Noclose.??
keepass2:
---------
This is a password database which works cross platform. When the Windows
executable is built using mono, it is erroneously detected as malware.
See LP: #1602645
/usr/lib/keepass2/KeePass.exe: Gen:Variant.Razy.74675
ettercap-common:
---------
This is a multi-purpose network sniffer, interceptor, and logger which
also supports data injection and filtering. It is identified by some
virus scanners as a hacking tool.
Linux Flooder/HackTool
pnscan:
-------
This is a port scanner. It is identifed by some virus scanners as a
hacking tool.
Linux/HackTool
liquidwar:
----------
This is a multiplayer game. The upstream tarballs include a source file
named LiquidWarExploit.c that includes an exploit against 2003-era
Slackware and Gentoo builds of the liquidwar game. This exploit worked by
changing the HOME environment variable before calling the game, widely
accepted as "not within the threat model" of most applications. This
exploit isn't built, and isn't present in the binary packages.
See LP: #1876121
patator:
--------
This is a security research tool that allows brute-forcing accounts.
Some virus scanners report this tool as containing a backdoor
(Python/Torpata.A).
ldap-account-manager:
---------------------
LDAP Account Manager is a tool to administer LDAP directories through a
web page.
Some virus scanners incorrectly detect that the ajax.php file contains a
remote backdoor (PHP/Remoteshell.G).
masscan:
--------
This is a port scanner. It is identifed by some virus scanners as a
hacking tool. (Linux/Prtscan.A!MTB)
jq:
---
This is a general purpose utility to work with JSON-formatted input in
shell scripts. It is identified by some virus scanners as a trojan or
other malware. See LP: #1892552
libwine-development:
--------------------
This has been reported to be parts of several malware suites. This has
Windows-compatible executables. Our assumption is these are just useful
tools.
msinfo32.exe
tasklist.exe
shutdown.exe
winemsibuilder.exe
msiexec.exe
hh.exe
ruby-ace-rails-ap:
------------------
This has been reported to be HEUR_JS.O.FNK, which we suspect means
"there's javascript files here", which is true, there are javascript files
in this package.
proftpd-mod-clamav:
-------------------
Some AV tools find the EICAR test file in this package. Good job! We're
all proud of you!
rspamd:
-------
This has been reported to be HEUR_NAMETRICK.A, which we suspect means
"these names are confusing to users". One such example:
rspamd-1.9.4/test/functional/messages/f.zip.gz.eml
|
