ClamWin Free Antivirus :: View topic - Xml.Exploit.CVE_2013_3860-1 FOUND

Posted: Fri Jul 22, 2016 1:29 am

In my routine clam scan, i got to know the below file is infected. But this file exist in server since 2003 and more over its doc file of python.

Is the below alert is genuine ? need your comments

/usr/share/doc/libxml2-python-2.6.26/reader2.py: Xml.Exploit.CVE_2013_3860-1 FOUND

Posted: Fri Jul 22, 2016 1:32 am

I suggest you upload the file to virustotal and make sure it is safe. If it is, then please file a false positive report at ClamAV's false positive mail here: https://www.clamav.net/contact

Posted: Fri Jul 22, 2016 2:03 am

Hello

As scanned infected file on Virus total and results seems to be positive. update false positive results to clamv.

/usr/share/doc/libxml2-python-2.6.26/reader2.py: Xml.Exploit.CVE_2013_3860-1 FOUND

Posted: Sat Jul 23, 2016 1:39 am

Clam AV is often a bit generic on files that are not Windows PE files--like batch files, text files, javascript, and html. There are lots of ways such files can be exploited by malware, and Clam AV does not have enough resources to dig too deep into them.

Over the years, I have learned to trust these AVs: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos. They use their own scan engines--not someone else's, and they have a good commercial user base to keep happy. If at least 2 of them say a file is infected, they are probably correct.

Regards,

Posted: Wed Jul 27, 2016 12:55 am

False positive is fixed in daily 21975. Smile

Posted: Fri Aug 12, 2016 11:58 am

Dears,

I am using clamav on my server and unfortunetely, clavas has been detected and moved to "C:\ProgramData\.clamwin\quarantine" ALMOST all of my files. Any idea to restore this files do its original folders without move one by one?

I have more than 20 thousands files with this false positive.

Please help me.

Posted: Fri Aug 12, 2016 2:15 pm

You said Clam AV. If you meant ClamWin, then read below. If you are using Clam AV, we cannot help you--Clam AV is a Linux app. ClamWin is a Windows app.

Ouch! The QRestore (quarantine restore) program in the ClamWin Bin folder was made to be used to restore items from quarantine. However...if you also use Clam Sentinel with ClamWin, the Sentinel Restore program is much better. You can click on the checkmark at the top to select all files at once, and then restore them. Sentinel Restore may not work for you if you are not now using it--anyway try it. Otherwise, I suggest you come up with some sort of removal script.

Before starting, however, whitelist the entire folder (for now anyway) from both Clam Sentinel and CloamWin.

There may be a script available--check the ClamWin forums.

For the future: I suggest that you do not use either Clam AV or ClamWin on a server. You need something heavy duty for that sort of use.

Good Luck!

Regards,

Posted: Fri Aug 12, 2016 4:45 pm

GuitarBob wrote:

You said Clam AV. If you meant ClamWin, then read below. If you are using Clam AV, we cannot help you--Clam AV is a Linux app. ClamWin is a Windows app.

Ouch! The QRestore (quarantine restore) program in the ClamWin Bin folder was made to be used to restore items from quarantine. However...if you also use Clam Sentinel with ClamWin, the Sentinel Restore program is much better. You can click on the checkmark at the top to select all files at once, and then restore them. Sentinel Restore may not work for you if you are not now using it--anyway try it. Otherwise, I suggest you come up with some sort of removal script.

Before starting, however, whitelist the entire folder (for now anyway) from both Clam Sentinel and CloamWin.

There may be a script available--check the ClamWin forums.

For the future: I suggest that you do not use either Clam AV or ClamWin on a server. You need something heavy duty for that sort of use.

Good Luck!

Regards,

Thanks a lot. It was very helpful.. I will get the tips.