Calibre v2.82.0 - Virus Scanner Alert

[Radar1968]

I've just had an alert from ClamXav saying that there is an issue with the latest v2.82.0 of Calibre. I am using macOS Sierra and the latest version and refs of ClamXav.

Exact alert is:
/Applications/calibre.app/Contents/Resources/resources/compiled_coffeescript.zip: Heuristics.Filetype.ZipWithJS-6136370-0 FOUND

Anyone have any idea why this has happened? Is it a false positive?

I have contacted ClamX re the issue but wondered if anyone was seeing similar with other scanners? I can't scan online as Calibre s 202mb.

Any help greatly appreciated.
Radar

UPDATE
I have heard back from ClamX and have they have following to add:
******************
Downloaded Calibre 2.82.0 and can confirm the detection.

The signature was just added by ClamAV yesterday in Daily - 23230 which would have shown up as a ClamXav update today and looks like this:

VIRUS NAME: Heuristics.Filetype.ZipWithJS-6136370-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: \.[A-Za-z]{3}\.js$
COMPRESSED FILESIZE: ANY
UNCOMPRESSED FILESIZE: ANY
ENCRYPTION: IGNORED
FILE POSITION: 1
CRC SUM: ANY

So I would have to guess that it's not a false positive in that it is a zip file that contains javascript files, which is what it's designed to find. That doesn't mean there is anything wrong with doing that, just that it's suspicious to do so.
******************

This means that its possible that Calibre had this file before but the signatures weren't picking it up.
Be nice to know what the file is and that it is harmless and was there before

[DiapDealer]

Flagging any zipfile that contains a javascript file in it seems over-the-top aggressive. That would flag pretty-much any Kobo kepub book.

I can't speak as to what that file actually is, but regardless ... that particular heuristic test wasn't thought out very well.

And in my personal opinion/experience: between calibre and antivirus software ... the antivirus software loses (at least when calibre is downloaded from official locations).

[Divingduck]

This version is public since a week now without complains. So no, I don't think there is a general problem. I don't know where you download your installation set. I always download from the official source (https://calibre-ebook.com/download) and hat never a virus problem. But I know there are all the time some external AV with regular false alarms.

[Radar1968]

Quote:

Originally Posted by Divingduck

This version is public since a week now without complains. So no, I don't think there is a general problem. I don't know where you download your installation set. I always download from the official source (https://calibre-ebook.com/download) and hat never a virus problem. But I know there are all the time some external AV with regular false alarms.

Downloaded from the official site so I'm not doubting its integrity, just why its caused an alert this time.

Like I said I believe its probably always been there and the update to def has suddenly picked it up and is being, as DiapDealer suggested, overly aggressive.

Whilst on the subject of downloading Calibre, I can't seem to find any SHA1 sigs for the downloads. Am I missing something? I always like to check these where I can for anything I download.

[JSWolf]

False positive. Calibre does not have a virus or trojan. If this false positive is not fixed, it will be time to find a different AV.

[BetterRed]

I wouldn't be at all surprised if the content server didn't contain a line or three of javascript.

I think the new one uses Rapydscript for which Kovid has written a transpiler, ==>> A transpiler for a Python like language to JavaScript.

Yeah, I'd never hear of a transpiler either, sounds like it would be handy if you were building a dock

BR

[Divingduck]

Quote:

Originally Posted by Radar1968

Whilst on the subject of downloading Calibre, I can't seem to find any SHA1 sigs for the downloads. Am I missing something? I always like to check these where I can for anything I download.

No, I was looking for it too but it seems Kovid had not attach it.

They are available on the alternate download location for calibre https://www.fosshub.com/Calibre.html

[kovidgoyal]

All calibre isntaller files are signed, for windwos and os x the signatures are in the installer and verified by the OS when installed, for linux you need to verify them manually and there is a link to them on the main download page.

And yes, this is a false positive: https://manual.calibre-ebook.com/faq...a-virus-trojan

[alvarnell]

Actually, it cannot be a false positive since Heuristic signatures only detect suspicious files, not necessarily infected ones. In this case it is looking for any zip file that contains one or more javascript files, which is what compiled_coffeescript.zip is. Users should simply verify that the detection is a valid file and ignore any future reports.

[JSWolf]

Quote:

Originally Posted by alvarnell

Actually, it cannot be a false positive since Heuristic signatures only detect suspicious files, not necessarily infected ones. In this case it is looking for any zip file that contains one or more javascript files, which is what compiled_coffeescript.zip is. Users should simply verify that the detection is a valid file and ignore any future reports.

When an anti-virus program flags something as possibly infected and it's not, that is a false positive.