1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
Several packages in the Ubuntu archive produce false positives when they
are scanned with a virus scanner such as ClamAV.
This file documents the known false positives, along with a short
explanation.
To get this list updated, send an email to security@ubuntu.com with your
scan results.
The following online services can be used to attempt to verify whether
something is a false positive:
https://www.virustotal.com/
https://virusscan.jotti.org/
Package listing follows:
pymilter and pymilter-milters:
------------------------------
These are email filtering tools, and they contain several deactivated
example viruses used for internal diagnostic testing:
test/honey: Exploit.IFrame.Gen
test/virus1: VBS.LoveLetter.A
test/virus13: Exploit.IFrame.Gen
test/virus4: Exploit.IFrame.Gen or W32.Nimda.enc
test/virus5: Exploit.IFrame.Gen or W32.Aliz.Worm
test/zip1: Suspect.DoubleExtension-zippwd-12
test/ziploop: Suspect.DoubleExtension-zippwd-12
nepenthes:
----------
This is a honeypot tool, and contains a log of an attempted attack:
doc/README.VFS: Trojan.Downloader.Bat
polygen:
--------
This is a text processing tool, and contains comedic examples of bad
command lines. For example, an easter egg that harmlessly claims to send
/etc/password offsite.
grm/eng/debian/compileline.grm: Unix.Penguin
mailscanner:
------------
This is an email scanning tool, and contains the well-known EICAR test
signature.
lib/MailScanner/MessageBatch.pm: Eicar-Test-Signature-1
nautilus-clamscan:
------------------
This is a ClamAV plugin for Nautilus, and contains some ClamAV-specific
test files.
test_files/clam.exe: ClamAV-Test-File
test_files/clam.cab: ClamAV-Test-File
test_files/clam.zip: ClamAV-Test-File
test_files/clam.exe.bz2: ClamAV-Test-File
libmail-deliverystatus-bounceparser-perl:
-----------------------------------------
This is an email tool to analyze bounced emails. It contains a test suite
that has some sample problematic email in it. One of the emails contains
an actual base64 encoded virus which is used by the test suite during
build. The virus sample is not in the binary packages once built.
For more information, see LP: #1210202.
t/corpus/virus-caused-multiple-weird-reports.msg: Worm.Mytob.LC
sha1sum: 6651598618bcc4e24efb0c6aea8b52c1bfa8bcf2
libmail-deliverystatus-bounceparser-perl_1.534.orig.tar.gz: Worm.Mytob.OY
sha1sum: d31fc44a701c01fc0849e48436d7a5b81c7e00cf
libmail-deliverystatus-bounceparser-perl_1.542.orig.tar.gz: Worm.Mytob.OY
eclipse-emf:
------------
Certain older versions of the ClamAV database detected a false positive
in this package. Newer versions of the ClamAV database, and Symantec do not
detect an issue with this package.
See LP: #1210249 for more details.
mydms:
------
Certain older versions of the ClamAV database detected a false positive
in this package. Newer versions of the ClamAV database don't seem to any
longer.
sanitizer:
----------
This package contains an email virus scanner. The test suite contains
several deactivated example viruses used for internal diagnostic testing.
testcases/results.def/sanitizer.rev1_75.ok: Exploit.WMF.Gen-1
testcases/sanitizer.rev1_75.t: Exploit.WMF.Gen-1
sqlmap:
-------
This is a security auditing tool that enables administrators to attempt SQL
injection attacks in web applications. It contains two web scripts that
allow obtaining a shell if the SQL injection was successful.
shell/backdoor.php: PHP.Shell-32
shell/backdoor.jsp: PHP.Shell-31
openjdk-6:
----------
ClamAV is incorrectly detecting a virus in certain binary builds of
openjdk-6. None of the files are detected as viruses when the archive is
extracted, and online scanners don't detect the archive as problematic.
See LP: #1224723
sha256sum:
965d64366b0a38c8faa392415239c2d509ed43b0cccec75493df15c135ba4a3e rt.jar
usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar: Java.Exploit.CVE_2013_2465
sup-mail:
---------
This is a console-based email client. It contains a test suite
that has some sample problematic email in it to ensure they are properly
handled. One of the files is detected as an email exploit by clamav:
test/test_message.rb: Exploit.HTML.IFrame-8 FOUND
origami-pdf:
------------
This is a scripting tool for generating and analyzing malicious PDF files.
It contains examples for generating malicious files in the samples/exploits
directory.
dbacl:
------
This is a tool for analyzing and classifying text files. It contains some
sample spam.
sha1sum: d7ae904b2ca991b919f67fe3fc28df84278476fa
dbacl_1.12.orig.tar.gz: Trojan.Noclose.??
keepass2:
---------
This is a password database which works cross platform. When the Windows
executable is built using mono, it is erroneously detected as malware.
See LP: #1602645
/usr/lib/keepass2/KeePass.exe: Gen:Variant.Razy.74675
ettercap-common:
---------
This is a multi-purpose network sniffer, interceptor, and logger which
also supports data injection and filtering. It is identified by some
virus scanners as a hacking tool.
Linux Flooder/HackTool
pnscan:
-------
This is a port scanner. It is identifed by some virus scanners as a
hacking tool.
Linux/HackTool
|