False Positives for well known files

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Locked
eldergeek
Junior Member
Posts: 27
Joined: 18 Mar 2010, 07:25

False Positives for well known files

Post by eldergeek »

I have read your advice regarding using the ignore file - but I work at a UK host, and we have a lot of CXS licenses, on servers which host thousands of Magento sites - many of whom use Extendware - nearly all of this company addons are obfuscated and are flagged up:

Code: Select all

Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0394]]
While local ignores are fine for less common FPs, it would be good if you had a reporting channel for more popular scripts/packages which throw FPs.

Steve
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: False Positives for well known files

Post by ForumAdmin »

There is a mechanism for reporting Fingerprint Exploit false-positives. If you are 100% sure that the script is not an exploit, you can submit it using:

Code: Select all

cxs --comment "reason it is a false-positive"  --force --wttw /path/to/script.file
If you have md5sums that are being "ignored" then you have a configuration problem somewhere and should log a ticket.

Please also be sure that you are not seeing ClamAV Virus false-positives if you are using a set of "UNOFFICIAL" rules that typically do have plenty of false-positives.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: False Positives for well known files

Post by ForumAdmin »

Locking this thread as it keeps going off-topic. This is about false-positive exploits and how to report them.
Locked