ClamAV detects Unix.Trojan.Gitpaste-9787170-0 in f...

splunkuser444 · ‎05-08-2025

Hello all,

ClamAV detected Unix.Trojan.Gitpaste-9787170-0 in file Splunk_Research_detections.json. This file appears to be a large repository of security research information and we'd like to verify if this detection is a true concern or if it is a false positive.

Threat detection file location: /opt/splunk/etc/apps/Splunk_Security_Essentials/appserver/static/vendor/splunk/Splunk_Research_detections.json

Splunk version: 9.4.0

Splunk Security Essentials version: 3.8.1

ClamAV detection: Unix.Trojan.Gitpaste-9787170-0

ClamAV version: 1.4.1/27629

ClamAV definition dates: April 24, 2025 through May 05, 2025

Security Essentials was installed on April 25, 2025 and ClamAV detections began immediately during the first scan following the install.

PickleRick · ‎05-08-2025

This is more of a question to ClamAV authors/database maintaners. I'd hazard a guess that the file contained within SE has some characteristic pieces of the Gitpaste method as part of its searches. And ClamAV detects their presence and flags the file. But I'd double-check it with ClamAV folks.

splunkuser444 · ‎05-12-2025

Thanks for the suggestion PickleRick, I've also submitted a false positive report at https://www.clamav.net/reports/fp.

ClamAV detects Unix.Trojan.Gitpaste-9787170-0 in file Splunk_Research_detections.json

other

troubleshooting

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?