Open odlevakp opened 4 years ago
Seems like a regression related to https://github.com/rfxn/linux-malware-detect/issues/309.
We are observing the same issue in every environment that has a copy of the openssl tls1.h header file (e.g. "node-v10.0.0/deps/openssl/openssl/include/openssl/tls1.h").
Since this is still an issue and I am seeing a lot of false positives (in my case anaconda / tensorflow) on backend servers that have no PHP, simplest for me was to put it into ignore_sigs
.
cat /usr/local/maldetect/ignore_sigs
{YARA}php_malware_hexinject
Seeing the same issue. I think it started showing up after installation of maldet.
Getting this now:
FILE HIT LIST: {HEX}php.gzbase64.inject.452 : /home/yo/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed {HEX}php.cmdshell.antichat.201 : /home/yo/maldetect-1.6.4/files/sigs/rfxn.yara
Just installed yesterday... false positive or real hit?
Seems latest rfxn database identifies
openssl-1.1.1c/include/openssl/tls1.h
asYARA.php_malware_hexinject.UNOFFICIAL
.To replicate:
Plain clamscan without rfxn db:
Checked
include/openssl/tls1.h
with virustotal, clean.There is also a clamav error regarding
rfxn.yara
.