Date: Wed, 17 Oct 2007 17:23:51 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: Strange perl script Message-ID: <F4EF8050FA282D6AF95CA3DC@utd59514.utdallas.edu> In-Reply-To: <1192657899.51572.12.camel@zeus.se> References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net> <20071017151607.GB51123@gizmo.acns.msu.edu> <002101c810f9$10379b80$0202fea9@jarasoft.net> <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com> <0C6C104A0E99E195410424CC@utd59514.utdallas.edu> <1192657899.51572.12.camel@zeus.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, October 17, 2007 23:51:39 +0200 Peo Nilsson <per-olof.nilsson@comhem.se> wrote: > > I scanned my FreeBSD 6.2-Release (ports up to date) with > Avira Antivir personal ed, some days ago. The scanner returned > this: > > ...<snap> > checking drive/path (cwd): / > /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist > Date: 11.10.2007 Time: 16:04:06 Size: 9975 > ALERT: > [HTML/MHT.Gen] > /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist <<< Contains > detection pattern of the HTML script virus HTML/MHT.Gen <snap>... > > The information Avira has one can read here: > http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen. > html > > I posted a question to openxpki-devel@lists.sourceforge.net. > They proposed that the scanner probably was "to nervous" for using with > Unix. (I can't tell myself) > > Don't know if this says anything, but I though I would mention it > when I saw your posts. I've never heard of a "nervous" anti-virus scanner, but that "detection" is clearly a false positive. The pkg-plist file is a list of the files and directories installed by the port, so that they can be removed when you run "make deinstall". Avira probably saw one of the strings in the file as a possible match to a known malicious script. In fact, their description says it's "a generic detection routine designed to detect common family characteristics shared in several variants" <http://www.avira.com/en/threats/section/fulldetails/id_vir/3679/html_mht.gen.html>; If you're so inclined, you could report it to Avira so they can tweak their detection accordingly. -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F4EF8050FA282D6AF95CA3DC>