WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: TinyCore-current.iso v14: ClamAV false positive?  (Read 1530 times)

Offline j4232l

  • Newbie
  • *
  • Posts: 2
TinyCore-current.iso v14: ClamAV false positive?
« on: January 22, 2024, 08:41:15 PM »
ClamAV detects the TinyCore-current.iso file as "PUA.Win.Exploit.CVE_2012_1461-1".
I looked up CVE-2012-1461 and it appears to related to .tar.gz files that are compressed with multiple streams, being able to evade AV detection.

Can somebody either please: report this to ClamAV as a false positive? (I hesitate to do so because the software developer knows what's in their software and has more of a vested interest than I in working with the antivirus vendor to eliminate the detection.)  Or, please rebuild the ISO file in such a way that the AV will not catch it as a file that may be attempting to evade it? (nowadays most malicious software is polymorphic so AVs generally detect "evasive" features.

Note that the SHA256 hash of the .iso file is 62e78d715dfa86d7d486e3286b0215383dbeb99966bf0ceef7efb18f88caea21. (If the hash of the genuine file is something different than maybe it is a true detection?) Thank you.

Offline NewUser

  • Full Member
  • ***
  • Posts: 168
Re: TinyCore-current.iso v14: ClamAV false positive?
« Reply #1 on: January 23, 2024, 12:52:09 AM »
Did you download the iso from www.tinycorelinux.net?

Offline patrikg

  • Wiki Author
  • Hero Member
  • *****
  • Posts: 712
Re: TinyCore-current.iso v14: ClamAV false positive?
« Reply #2 on: January 23, 2024, 01:49:44 AM »
Thanks for reporting.

Just for check it's the correct sha256sum.
And maybe we should switch to sha256sum instead of using the old md5, that have being reporting collisions.

Code: [Select]
curl -Os http://tinycorelinux.net/14.x/x86/release/TinyCore-current.iso
curl -Os http://tinycorelinux.net/14.x/x86/release/TinyCore-14.0.iso.md5.txt

mv TinyCore-current.iso TinyCore-14.0.iso

md5sum -c TinyCore-14.0.iso.md5.txt
TinyCore-14.0.iso: OK

sha256sum TinyCore-current.iso
62e78d715dfa86d7d486e3286b0215383dbeb99966bf0ceef7efb18f88caea21  TinyCore-current.iso
« Last Edit: January 23, 2024, 01:53:46 AM by patrikg »

Offline j4232l

  • Newbie
  • *
  • Posts: 2
Re: TinyCore-current.iso v14: ClamAV false positive?
« Reply #3 on: January 24, 2024, 11:15:32 PM »
Since the hash matches, can somebody please report it to ClamAV as a false positive?  (One of the advantages of having the developers report the false-positive, instead of me, is they could discuss with ClamAV's developers exactly what it is about the ISO that triggers the detection.)