ClamAVConnector virus

[LukeDouglas]

I got a very unusual alert from my antivirus program on an intrusion from what appears to be the Clam AntiVirus program.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
2/11/2016 7:41:28 PM,High,An intrusion attempt by www.ATTACKINGDOMAINNAME.com was blocked.,Blocked,No Action Required,Fake App Attack: Fake Scan Webpage 4,No Action Required,No Action Required,"ATTACKINGDOMAINNAME (SERVERIP, 2082)",WEBSITEDOMAIN.EXT:2082/cpsess499112525/frontend/paper_lantern/clamavconnector/live_go.html?scan=pubhtml,"SCATMAN-DESKTOP (10.0.0.252, 53753)",www.ATTACKINGDOMAINNAME.com (198.1.81.235),"TCP, Port 2082"
Network traffic from WEBSITEDOMAIN.EXT:2082/cpsess499112525/frontend/paper_lantern/clamavconnector/live_go.html?scan=pubhtml</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.

Can anyone tell me how this is happening and what I can do to

 

[yasins]

I have this error too.
Antivirus software is Norton Security.

 

[quizknows]

This seems like a likely false positive. I would guess it has known URLs for AV software like norton and clamav stored, and if it sees a URL with that name that is not the official site it could trigger IDS. This is most likely not a cPanel issue, probably a false positive from a feature meant to protect people from all the fake AV scam websites.

 

[cPanelMichael]

Hello

The URL in question is not abnormal. You could review /usr/local/cpanel/logs/access_log to verify if the offending IP address is a known user (e.g. there are previous safe entries under that IP).

Thank you.