Author: Henri Salo Date: To: clamav-users Subject: [clamav-users] Probably false-positive Exploit.MS04_028-4 reported
I just reported sample as false-positive, which is detected as Exploit.MS04_028-4. This picture is generated by web-camera with SHA1 d7ad16339fbf5d2b193bb4df7299c6f3da20c0b8 and I do have another file, which were detected with same malware name at 2012-01-25 with SHA1 cb446b3002f39b250abb5a3eaec8e59e46b4b9e2, but it is not detected anymore by ClamAV. This web-camera is used in Tampere Finland to record city and our shell-user is using crontab to create a videos like this: http://vimeo.com/35187490
If you know similar cases, have/need more information about this or want the samples please contact me. I am happy to help!
Using ClamAV 0.97.3/14426/Fri Feb 10 07:15:20 2012 with signatures:
ClamAV update process started at Fri Feb 10 12:57:10 2012
main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cld is up to date (version: 14426, sigs: 91708, f-level: 63, builder: guitar)
bytecode.cld is up to date (version: 167, sigs: 40, f-level: 63, builder: edwin)