This appears to be both a legitimate test file (wintest.py) and a useful
signature. Clamav has a built-in solution for resolving these conflicts. You
create a *.fp file that contains the checksum of the specific file and it will
be ignored after the next reload.
sigtool --md5 wintest.py >sambatest.fp
Place the resulting file in the clamav sig directory and reload.
Sometimes these things happen.
dp
On 3/30/16 7:00 PM, Al Varnell wrote:
With all the name changing that happened in the new database, I don’t think I
can come close to guessing how old the signature might be.
It is in Extended Signature Format (.ndb) looking for an ASCII text file
(normalized) with any offset and an ASCII string of:
netsh firewall set_opmode mode = disable
except that I substituted an underscore “_" for one space to prevent a copy
from this e-mail from being identified as infected.
I have confirmed that the wintest.py file does contain this string and that
there is no subsequent command to re-enable the firewall
I’ll have to let those familiar with how advisable it is to disabling the
firewall on a Windows machine would be under these circumstances.
-Al-
On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote:
The only file that was flagged as containing a virus (trojan) was
"wintest.py" in the "wintest" directory of the Samba source code. This
sounds like it's only a file for testing Samba (when built for
Windows?), and, unless it's something really sneaky, shouldn't be able
to affect a running Samba.
The bug is called "BadLock", and, since Microsoft is working on it too,
I'd guess it's an SMB protocol bug. Furthermore, some years ago MS was
stonewalling Samba. If it were a Samba-only bug, MS probably wouldn't
actively work on it, but rather would use it to tout the advantages of
Windows Server.
Paul Kosinski
On Thu, 31 Mar 2016 10:51:55 +1100
Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> wrote:
On 31/03/2016 5:32 AM, Alain Zidouemba wrote:
Paul:
Thanks for reporting this FP. This will be fixed momentarily.
Is it really a false positive?
There has been a heads up that SAMBA code has a problem and that both
Microsoft and Samba are working on a solution that will be released on
the next patch Tuesday.....
That download could be part of this somehow, I don't know. But it
shouldn't blindly be considered a FP, that's for sure!
- Alain
On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
<clamav-us...@iment.com> wrote:
I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org,
and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports
that the gz file contains Win.Trojan.Qhost-106. In particular, the
single file wintest.py in the subdirectory wintest is reported.
Kind Regards
AndrewM
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
