Ubuntu
clamav package

ClamAV scanner recognizes add-on 'Brief' as Virus

Bug #378627 reported by Trinity.a001
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: firefox-3.0

I installed Firefix addon ' Brief '. ClamAV virus scanner tells me this is Virus. Then, I uninstalled it. After that I tried to install ' Brief ' again. And I scanned my computer. But, it happened the same thing. I don't know whether Firefox addon 'Breif' is Virus or not. I don't want to believe it.So, I report this. / Using Ubuntu 9.04/ Using Firefox-3.0 the latest version
 Now I'm going to uninstall ' Brief' again. No problem for me. Ubuntu itself is wonderful. Thank you very much.

ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: nvidia
Package: firefox-3.0 3.0.10+nobinonly-0ubuntu0.9.04.1
ProcEnviron:
 LANG=ja_JP.UTF-8
 SHELL=/bin/bash
SourcePackage: firefox-3.0
Uname: Linux 2.6.28-11-generic i686

Revision history for this message
Trinity.a001 (spmm9pq9) wrote :
Marc Deslauriers (mdeslaur)
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

This is a problem with the scanner engine, not the addon.

affects: firefox-3.0 (Ubuntu) → clamav (Ubuntu)
Revision history for this message
Micah Gersten (micahg) wrote :

I guess I am assuming that you installed the version from addons.mozilla.org, correct?

Revision history for this message
Trinity.a001 (spmm9pq9) wrote : [Bug 378627] ClamAV recognizes add-on ' Brief ' as Virus

I installed ' Brief ' from addons.mozilla.org.You are correct.
I send you my screenshot of ClamAV's-scanning-result with this mail. I
hope this to reach you properly,Mr.Micah Gersten.

Revision history for this message
Trinity.a001 (spmm9pq9) wrote : Re: [Bug 378627] Re: ClamAV scanner recognizes add-on 'Brief' as Virus

Micah Gersten さんは書きました:
> I guess I am assuming that you installed the version from
> addons.mozilla.org, correct?
>
>
  From Trinity.a001 To Mr.Gersten :
I installed 'Brief' from addon.mozilla.org. You are correct. Now I send
you my screenshot of ClamAV-scanning-results with this mail. I hope this
to reach you properly.

I sent the same mail 4 hours ago. But it returned to me. I don't know why.
Probably my mistake. So I send this mail again.
After sending this mail, I will not send any mail to you. I don't want
to bother anybody. If there were any problem, I hope it will be solved
by the person who can do it. Thank you for your concern.

Revision history for this message
Imre Gergely (cemc) wrote :

I've installed this add-on and scanned the /home/user/... directory with clamscan. It found nothing. After that I scanned with the command-line option '--detect-pua=yes', and it did report the .js file as a PUA.

thickbox.js: PUA.Script.Packed-1 FOUND

From the clamscan manual page:

       --detect-pua[=yes/no(*)]
              Detect Possibly Unwanted Applications.

It seems clamscan doesn't like something in that javascript file, that's why it reported it. Maybe the creator of the addon should be notified to rewrite some of the code which makes clamav report it.

I see in the screenshot that clamtk is being used to scan, and that 'Thorough' option is selected. Without that option, clamtk doesn't report anything, with the option (which obviusly implies the above --detect-pua parameter) clamav gets a bit more sensitive about stuff, that's why it reports the javascript as a _possible_ threat, which doesn't necesarrily mean it's a virus.

Revision history for this message
Scott Kitterman (kitterman) wrote :

I checked with the clamav developers and their opinion is that this is a case of clamav functioning as designed as the add-on in question has questionable code in it. I'd recommend contacting the developers of the extension and suggest that using obfuscated/lamed javascript is not good idea.

Changed in clamav (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.