Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

ClamshellAV reports 'Html.Malware.Agent-6625161-0' on plugins

Steven Ventimiglia
Steven Ventimiglia
Contributor
July 28, 2018

I'm fairly confident that this isn't a critical issue, however, I felt you folks should be aware that after running ClamshellAV on CentOS 7, the following appeared in my log (for what seems directly related to 'plugins' packages for JIRA and Bitbucket servers):

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/upm-application-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/temp/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/jira/temp/plugin.1235045691871667837.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625161-0 FOUND

/opt/atlassian/bitbucket/5.11.1/app/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/installed-plugins/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1530114812000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/upm-application-plugin-2.22.9_1530114812000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.1235045691871667837.atlassian-universal-plugin-manager-plugin-2.22.11_1530732163000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.7678726411037657193.atlassian-universal-plugin-manager-plugin-2.22.12_1532789555000.jar: Html.Malware.Agent-6625161-0 FOUND

/var/atlassian/application-data/bitbucket/plugins/.osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1527316560000.jar: Html.Malware.Agent-6625161-0 FOUND

Answer
Watch
Like brookula likes this
2531 views

3 answers

1 accepted

0 votes
Answer accepted
BenW
BenW
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 31, 2018

Hello,

I want to assure you that the plugins listed above are not malware. The latest ClamAV virus database includes this rule which is in fact a false positive.

I have submitted a false positive request to the ClamAV team to resolve this issue. Please follow https://ecosystem.atlassian.net/browse/UPM-5905 for progress on this issue.

In the meantime, the workaround described on this post seems like a good approach.

Cheers,
Ben

Reply
2 votes
brookula
brookula
Contributor
July 30, 2018

I'm also seeing this in all my Jira 7.2.7 and Confluence 5.10 instances. I'm running ClamAV 0.99.4/24797/Mon Jul 30 09:42:33 2018

The virus signature update last night now finds UPM to be malware. Because we do not automatically quarantine suspect files, this didn't cause an issue on application restart. It's just noisy.

I've ticketed Atlassian for this.

There are two workarounds available -

* exclude the directories where the jar files exist so clamscan doesn't find the files

* exclude the files (disclosure: this method was developed by another engineer and I have not vetted it)

In order to add a file to the false-positive whitelist you need to add the info to a file named sigfile.fp in the same directory as the db files for clamav this is located in /var/clamav. Actually you can name the file anything you want just ensure the extension is .fp This is the info that is required, again it is a simple task in bash to get the data.

  • MD5 sum
  • File size in bytes
  • 6 digit date
  • Base file name with last extension removed. So if the file is foo.bat then the file name is foo. If it is foo.bar.bat the file name is foo.bar.

 With that  info you would add it to /var/clamav/sigfile.fp formatted like this:

                MD5:SIZE:DATEID_NAME

That entry represents a single file and make sure there is only one entry per line 1000 files then 1000 lines

And that is all there is to it, it takes effect as soon as the file is saved.

View More Comments
brookula
brookula
Contributor
August 1, 2018

Here's ClamAV's official whitelisting procedure: http://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature

Like
Reply
0 votes
Simon Tyler
Simon Tyler
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 30, 2018

I have also noticed this issue; it was also flagged for the first time on Saturday. My guess is that a ClamAV update has mistakenly flagged the plugin; can somebody please confirm that this is a false flag?

 

/data/atlassian/confluence.old/confluence/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.20.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence.old/plugins-osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.20_1449523626000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-cache/1493144169000plugin.1940237532048614219.atlassian-universal-plugin-manager-plugin-2.21.4.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-cache/1532100170000plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1493144169000plugin.1940237532048614219.atlassian-universal-plugin-manager-plugin-2.21.4_1493144169000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1532100170000plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12_1532100170000.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.5_1528329572000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/confluence/plugins-osgi-cache/transformed-plugins/1530063048000plugin.4333718534734086921.atlassian-universal-plugin-manager-plugin-2.22.11_1530063048000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/installed-plugins/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/atlassian-universal-plugin-manager-plugin-2.22.9_1525859694000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.257991843025947925.atlassian-universal-plugin-manager-plugin-2.22.11_1528761034000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12_1532109693000.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/plugin.1266146764422473197.atlassian-universal-plugin-manager-plugin-2.22.10_1527882621000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/upm-application-plugin-2.22.9_1525859694000.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/confluence/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.5.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/temp/plugin.4333718534734086921.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/confluence/temp/plugin.6730594808569807862.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.22.9.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/upm-application-plugin-2.22.9.jar: Html.Malware.Agent-6625208-0 FOUND
/data/atlassian/jira/temp/plugin.5181128983702769347.atlassian-universal-plugin-manager-plugin-2.22.12.jar: Html.Malware.Agent-6625161-0 FOUND
/data/atlassian/jira/temp/plugin.257991843025947925.atlassian-universal-plugin-manager-plugin-2.22.11.jar: Html.Malware.Agent-6625208-0 FOUND

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.