Hi Al, On 07-05-12 20:44, Al Varnell wrote: >> And is there no place where I can find more information about the trojan >> ClamAV thinks it is detecting? Surely there is more information than a >> hex string, somewhere? > The only one that might know something about it is the member of the > signature team that published it (Alain Zidouemba) who probably isn't going > to remember what he did back on 19 April unless he took good notes: I must say the lack of transparency is bothering me a little. I'm used to antivirus programs giving me access to a detailed database with information about the threats they claim to detect, so I can make my own determination of how likely something is to be an actual threat and what it does and how dangerous it is, or whether it is just a theoretical threat, or a likely false positive. >> Submission-ID: 42631477 >> Sender: Virus Total >> Sender: Anonymous >> Added: Trojan.Agent-281708 > This says it originated at VirusTotal. It's also strange that Virus Total is saying that ClamAV (and only ClamAV) is claiming the file contains a trojan, and ClamAV says that Virus Total is the source for that information. This seems like a circular chain of evidence to me, which could prove anything, and therefore nothing.
And when I search for these names and strings, all I find are Virus Total reports, and lists of threats claimed to be detected by various products, but no actual information about the alleged trojans themselves (except that they're "highly dangerous"). It's all very mysterious, and it doesn't inspire confidence in me in the accuracy of these detections, I'm sorry to say, especially given my own current experience. > When I do a Google search for > "74da9128149f4e678783b4125095d396 +site:virustotal.com" > I get 6 hits, several of which show a VBA32 detection of > TrojanBanker.Qhost.aaji So I see. Thanks for the tip. In most of them the only other detection is once again by ClamAV though. It seems likely to me that those are all false positives too. They all seem to be installers or uninstallers, perhaps something about that is triggering ClamAV and VBA32. When I search for this "TrojanBanker.Qhost.aaji" trojan, once again I can find no concrete information about it whatsoever, so unfortunately it doesn't really help in identifying what it is that ClamAV thinks my program is infected with... Kind regards, Pepijn Schmitz _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
