Strange perl script
Paul Schmehl
pauls at utdallas.edu
Wed Oct 17 15:23:52 PDT 2007
--On Wednesday, October 17, 2007 23:51:39 +0200 Peo Nilsson
<per-olof.nilsson at comhem.se> wrote:
>
> I scanned my FreeBSD 6.2-Release (ports up to date) with
> Avira Antivir personal ed, some days ago. The scanner returned
> this:
>
> ...<snap>
> checking drive/path (cwd): /
> /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist
> Date: 11.10.2007 Time: 16:04:06 Size: 9975
> ALERT:
> [HTML/MHT.Gen]
> /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist <<< Contains
> detection pattern of the HTML script virus HTML/MHT.Gen <snap>...
>
> The information Avira has one can read here:
> http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen.
> html
>
> I posted a question to openxpki-devel at lists.sourceforge.net.
> They proposed that the scanner probably was "to nervous" for using with
> Unix. (I can't tell myself)
>
> Don't know if this says anything, but I though I would mention it
> when I saw your posts.
I've never heard of a "nervous" anti-virus scanner, but that "detection" is
clearly a false positive. The pkg-plist file is a list of the files and
directories installed by the port, so that they can be removed when you run
"make deinstall". Avira probably saw one of the strings in the file as a
possible match to a known malicious script.
In fact, their description says it's "a generic detection routine designed
to detect common family characteristics shared in several variants"
<http://www.avira.com/en/threats/section/fulldetails/id_vir/3679/html_mht.gen.html>
If you're so inclined, you could report it to Avira so they can tweak their
detection accordingly.
--
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list