On May 7, 2012, at 10:49 AM, Pepijn Schmitz wrote: > Hi Chuck, > > On 07-05-12 19:17, Chuck Swiger wrote: >> VirusTotal is a site at https://www.virustotal.com/ which lets one upload >> files and scan them against all of the major malware engines. This will >> show you all of the false-positive matches and let you see what the malware >> is being called by the various vendors-- that might help track down what the >> payload is and does, and also give you some idea as to which vendors you >> ought to contact and submit your software to as a false-positive. > > Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is > identifying my file as containing a trojan: > > https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808efd8c322e274a34b211/analysis/
OK, that's good. It means you only need to follow up with one or maybe two places. :-) >> Also, you can run sigtool from ClamAV to see what the hex string that is >> being matched is: >> >> % sigtool -fTrojan.Agent-281708 >> [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708 > > Thanks, good to know. Seems like that hex string is not distinctive enough! Yes, that appears to be true. > I already reported the file as a false positive (using ClamTk). > Are those reports generally responded to quickly? Mostly? (That's a subjective question and someone who has software being affected is quite reasonably eager to see things fixed more rapidly than someone not affected by the issue.) > Is there any way I can help to speed along the process? In the sort term, probably no. In the longer term, supporting ClamAV project would help them have more resources available to process FPs. > And is there no place where I can find more information about the trojan > ClamAV thinks it is detecting? Surely there is more information than a > hex string, somewhere? Yes. I'd imagine that either VirusTotal or ClamAV's malware database maintainers have a copy of the malware and could provide more info about it.... Regards, -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
