On 5/7/12 10:49 AM, "Pepijn Schmitz" <cla...@pepsoft.org> wrote:
> Hi Chuck, > > On 07-05-12 19:17, Chuck Swiger wrote: >> VirusTotal is a site at https://www.virustotal.com/ which lets one upload >> files and scan them against all of the major malware engines. This will show >> you all of the false-positive matches and let you see what the malware is >> being called by the various vendors-- that might help track down what the >> payload is and does, and also give you some idea as to which vendors you >> ought to contact and submit your software to as a false-positive. > > Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is > identifying my file as containing a trojan: > > https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808e > fd8c322e274a34b211/analysis/ > >> Also, you can run sigtool from ClamAV to see what the hex string that is >> being matched is: >> >> % sigtool -fTrojan.Agent-281708 >> [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708 > > Thanks, good to know. Seems like that hex string is not distinctive > enough! I already reported the file as a false positive (using ClamTk). > Are those reports generally responded to quickly? Is there any way I can > help to speed along the process? > The hex string being matched is the MD5 of the file, but it doesn't match the one listed in VirusTotal so I'm confused here. > And is there no place where I can find more information about the trojan > ClamAV thinks it is detecting? Surely there is more information than a > hex string, somewhere? > The only one that might know something about it is the member of the signature team that published it (Alain Zidouemba) who probably isn't going to remember what he did back on 19 April unless he took good notes: > Submission-ID: 42631477 > Sender: Virus Total > Sender: Anonymous > Added: Trojan.Agent-281708 This says it originated at VirusTotal. When I do a Google search for "74da9128149f4e678783b4125095d396 +site:virustotal.com" I get 6 hits, several of which show a VBA32 detection of TrojanBanker.Qhost.aaji -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
