What to do About ClamAV False Positives

Steve Kessler

Active Member
Feb 22, 2015
27
0
1
Denver, Colorado, United State
cPanel Access Level
Root Administrator
I am using ClamAV together with ConfigServer CXS. I get emails when viruses are detected by Clam and all of them are false positives. It is to the point that I think I would miss a serious issue because I get the same emails over and over.

Yes, I could add each file to the ignore file but that is a major pain because this happening all the time.

For example, fck_gecko.js is included in the FCKEditor package. This was one of the several files flagging in an install of this editor so I looked into it. It turns out that Clam thinks it is Txt.Malware.Agent-6162558-0. Looking at the analysis that does not appear to be the case.

I am trying to find a better tool than Clam that will integrate with cPanel/WHM. Any thoughts on this or how to make Clam run better is much appreciated.

Thanks,
Steve
 
Last edited by a moderator:

Infopro

Well-Known Member
May 20, 2003
17,085
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Yes, I could add each file to the ignore file but that is a major pain because this happening all the time.
What is happening all the time, you only give one example.
FCKEditor
You probably shouldn't be using it any longer. This post is from 2005:
drupal.org/project/fckeditor

CKEditor is the successor to FCKeditor and has its own CKEditor module. The FCKeditor module will not receive any new features, nor will it be updated for Drupal 7. Upgrading to CKEditor is recommended for all users of FCKeditor.
 

Steve Kessler

Active Member
Feb 22, 2015
27
0
1
Denver, Colorado, United State
cPanel Access Level
Root Administrator
Right now the only files that are being identified as viruses are from FCKEditor. However, the age of the editor should not mean that a virus detection program will see the files as viruses. That is an absurd statement. It is being used on a legacy site that is not going to be updated until that company closes.

This has happened before with other JS and PHP files from reputable up to date sources like Drupal and CiviCRM. It has also happened with DOC/X and XLS/X files that were uploaded to the server.

I am just trying to find an option with fewer false positives if possible because this becomes the software that cried wolf.

Thanks,
Steve
 

Infopro

Well-Known Member
May 20, 2003
17,085
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
the age of the editor should not mean that a virus detection program will see the files as viruses. That is an absurd statement.
Absurd? You might re-read the link I posted. The statement is what it is.

...is not going to be updated until that company closes.
Good luck with that.

In the meantime, you might need to white list that file to stop the alerts.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
466
113
UK
cPanel Access Level
Root Administrator
I wonder if your clamav is actually detecting these files as Potentially Unwanted Applications (PUA)

You might want to read their Documentations, and decide if you are going to block what might be good detections just because it is irritating, or if you are going to choose another A/V solution that doesn't warn you about potentially vulnerable scripts with known and published exploits.