What to do About ClamAV False Positives

[Steve Kessler]

I am using ClamAV together with ConfigServer CXS. I get emails when viruses are detected by Clam and all of them are false positives. It is to the point that I think I would miss a serious issue because I get the same emails over and over.

Yes, I could add each file to the ignore file but that is a major pain because this happening all the time.

For example, fck_gecko.js is included in the FCKEditor package. This was one of the several files flagging in an install of this editor so I looked into it. It turns out that Clam thinks it is Txt.Malware.Agent-6162558-0. Looking at the analysis that does not appear to be the case.

I am trying to find a better tool than Clam that will integrate with cPanel/WHM. Any thoughts on this or how to make Clam run better is much appreciated.

Thanks,
Steve

 

[Infopro]

Yes, I could add each file to the ignore file but that is a major pain because this happening all the time.

What is happening all the time, you only give one example.

FCKEditor

You probably shouldn't be using it any longer. This post is from 2005:
drupal.org/project/fckeditor

CKEditor is the successor to FCKeditor and has its own CKEditor module. The FCKeditor module will not receive any new features, nor will it be updated for Drupal 7. Upgrading to CKEditor is recommended for all users of FCKeditor.

 

[Steve Kessler]

Right now the only files that are being identified as viruses are from FCKEditor. However, the age of the editor should not mean that a virus detection program will see the files as viruses. That is an absurd statement. It is being used on a legacy site that is not going to be updated until that company closes.

This has happened before with other JS and PHP files from reputable up to date sources like Drupal and CiviCRM. It has also happened with DOC/X and XLS/X files that were uploaded to the server.

I am just trying to find an option with fewer false positives if possible because this becomes the software that cried wolf.

Thanks,
Steve

 

[Infopro]

the age of the editor should not mean that a virus detection program will see the files as viruses. That is an absurd statement.

Absurd? You might re-read the link I posted. The statement is what it is.

...is not going to be updated until that company closes.

Good luck with that.

In the meantime, you might need to white list that file to stop the alerts.

 

[Erika Rangel]

Those entries seem to be false positives, not infected files. Now, I can't tell why it appears so slow.

 

[rpvw]

I wonder if your clamav is actually detecting these files as Potentially Unwanted Applications (PUA)

You might want to read their Documentations, and decide if you are going to block what might be good detections just because it is irritating, or if you are going to choose another A/V solution that doesn't warn you about potentially vulnerable scripts with known and published exploits.