Page 1 of 1
False Positives for well known files
Posted: 12 Oct 2016, 07:20
by eldergeek
I have read your advice regarding using the ignore file - but I work at a UK host, and we have a lot of CXS licenses, on servers which host thousands of Magento sites - many of whom use Extendware - nearly all of this company addons are obfuscated and are flagged up:
Code: Select all
Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0394]]
While local ignores are fine for less common FPs, it would be good if you had a reporting channel for more popular scripts/packages which throw FPs.
Steve
Re: False Positives for well known files
Posted: 16 Oct 2016, 20:39
by ForumAdmin
There is a mechanism for reporting Fingerprint
Exploit false-positives. If you are 100% sure that the script is not an exploit, you can submit it using:
Code: Select all
cxs --comment "reason it is a false-positive" --force --wttw /path/to/script.file
If you have md5sums that are being "ignored" then you have a configuration problem somewhere and should log a ticket.
Please also be sure that you are not seeing ClamAV Virus false-positives if you are using a set of "UNOFFICIAL" rules that typically do have plenty of false-positives.
Re: False Positives for well known files
Posted: 20 Oct 2016, 20:41
by ForumAdmin
Locking this thread as it keeps going off-topic. This is about false-positive exploits and how to report them.