With all the name changing that happened in the new database, I don’t think I can come close to guessing how old the signature might be.
It is in Extended Signature Format (.ndb) looking for an ASCII text file (normalized) with any offset and an ASCII string of: netsh firewall set_opmode mode = disable except that I substituted an underscore “_" for one space to prevent a copy from this e-mail from being identified as infected. I have confirmed that the wintest.py file does contain this string and that there is no subsequent command to re-enable the firewall I’ll have to let those familiar with how advisable it is to disabling the firewall on a Windows machine would be under these circumstances. -Al- On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote: > > The only file that was flagged as containing a virus (trojan) was > "wintest.py" in the "wintest" directory of the Samba source code. This > sounds like it's only a file for testing Samba (when built for > Windows?), and, unless it's something really sneaky, shouldn't be able > to affect a running Samba. > > The bug is called "BadLock", and, since Microsoft is working on it too, > I'd guess it's an SMB protocol bug. Furthermore, some years ago MS was > stonewalling Samba. If it were a Samba-only bug, MS probably wouldn't > actively work on it, but rather would use it to tout the advantages of > Windows Server. > > Paul Kosinski > > On Thu, 31 Mar 2016 10:51:55 +1100 > Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> wrote: > >> >> >> On 31/03/2016 5:32 AM, Alain Zidouemba wrote: >>> Paul: >>> >>> Thanks for reporting this FP. This will be fixed momentarily. >> >> Is it really a false positive? >> >> There has been a heads up that SAMBA code has a problem and that both >> Microsoft and Samba are working on a solution that will be released on >> the next patch Tuesday..... >> >> That download could be part of this somehow, I don't know. But it >> shouldn't blindly be considered a FP, that's for sure! >> >>> - Alain >>> >>> On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski >>> <clamav-us...@iment.com> wrote: >>> >>>> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, >>>> and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports >>>> that the gz file contains Win.Trojan.Qhost-106. In particular, the >>>> single file wintest.py in the subdirectory wintest is reported. >> >> Kind Regards >> AndrewM
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
