Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 06 May 2013 04:32:50 -0400
From:      Tom Judge <tjudge@sourcefire.com>
To:        M Rusli <linuxsecuritymrusli@gmail.com>
Cc:        ports@freebsd.org, Dave M <dave.nerd@gmail.com>, secteam@freebsd.org
Subject:   Re: clamtk detects setuptools-0.6c11-py2.7.egg Packer.MingwGcc-2 virus
Message-ID:  <51876AB2.50905@sourcefire.com>
In-Reply-To: <CADUSB=wvWnV6AaJmof0ZUHa6s2-ejhgL9vQ8cUDsiPMooSx89w@mail.gmail.com>
References:  <CADUSB=wR-VAkSYwHOXvnhPaT48WEePP8L7coTnbijV320=Y0Pw@mail.gmail.com> <CAPk1mureXe11Ci5aWNyWBQ1BO7yJ9baT=Y0X9XdGAeUkBx9cOA@mail.gmail.com> <CADUSB=wvWnV6AaJmof0ZUHa6s2-ejhgL9vQ8cUDsiPMooSx89w@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rusli,

I have sent this information over to the ClamAV detection team, to
validate that the signature is correct.  Could you please send me a
copy of the file off list?


Thanks

Tom Judge
- --
Senior Research Engineer
Sourcefire Vulnerability Research Team
FreeBSD Ports Committer


On 5/4/13 7:48 AM, M Rusli wrote:
> Hi Dave,
> 
> I did another scan and this time I disable the PUA settings. And
> clamtk did not detect any virus.
> 
> I did double confirm with virustotal. And it did not detect
> anything.
> 
> But when I do a scan again with PUA, it detected as 
> PUA.Win32.PackerMingwGcc-2 virus.
> 
> By the way, clamav have an updated version of the virus engine to 
> version 0.97.8.
> 
> Any luck when the new update version will come in for the Freebsd
> version???
> 
> 
> On Sat, May 4, 2013 at 7:22 PM, Dave M <dave.nerd@gmail.com 
> <mailto:dave.nerd@gmail.com>> wrote:
> 
> Hi,
> 
> I'm not sure what that file is, but you could verify with that
> package owner's upstream that it's good to go.
> 
> Keep in mind that the "threat" name is "PUA" (for potentially
> unwanted application) and seems to be warning based on the type of
> packer or compiler used.  In fact, you probably have the "Scan for
> PUAs" option checked in your ClamTk preferences, otherwise this
> would not have alerted.
> 
> Once the upstream verifies it (hopefully :), please submit the file
> to ClamAV (at clamav.net <http://clamav.net>) as a false positive, 
> assuming it is one.
> 
> Let me know if I can be of assistance.
> 
> thanks, Dave M
> 
> On Sat, May 4, 2013 at 6:04 AM, M Rusli 
> <linuxsecuritymrusli@gmail.com 
> <mailto:linuxsecuritymrusli@gmail.com>> wrote:
>> Hi
>> 
>> I did a full scan on my computer with up-to-date virus of
>> clamtk.
>> 
>> It indicates that the 
>> /usr/local/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg
>
>> 
contains
>> PUA.Win32.PackerMingwGcc-2 virus.
>> 
>> Can you verify whether this is a PUA virus?
>> 
>> Thank you.
>> 
>> Rusli
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRh2qyAAoJEEJSM9yB4iIWxXcIAI3ePPhwsOUur1EedxMJ51GI
k3wpqpFu063IRGvg22GOu+//jx8GOpL9oh4Cyx2F0Av1JXtN2NwAAEaEFid8gZB1
yEN8gtAz72pia/SgV+j5KDWeYWuKuhSXDlVZwYuIm9B+vy3UQ93xE1WcCkN97BtF
V8VyM8111+DL6tXTm7ik8EU5rkmJCc2vI3VjnIMWlZhJXPLPugSWBDnF9vM63gww
XDDyWYAP1bqhFnUnJXkExoBZKQJ/xP2RlInLwcytXMbAdbmAXiqPM74g2aB96685
BfQA03dv0r2idgPekff9ppVprT9/roRK6AGsGO8r0+b9aDPxfY/mfnYIXQEhd/c=
=obvO
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51876AB2.50905>