I believe that signature has been dropped. -- Sent from my iPhone
> On Dec 26, 2016, at 11:08 PM, Christian Balzer <ch...@gol.com> wrote: > > > Hello, > >> On Tue, 27 Dec 2016 03:06:31 +0000 Joel Esler (jesler) wrote: >> >> We QA against thousands of clean files for each signature. But we don't >> have s copy of every foe in the world to QA against. >> >> When people send in false positives, if we determine them to be actually >> clean, we add them to the FP farm as well. That's why FPs are important to >> send in, not just to clean current FPs, but to prevent future ones. >> > > Don't have a sample (confidential file), but I have confirmation that this > was indeed an Excel .xlsm file. > Given the senders/recipients of the other Win.Trojan.Toa-5368540-0 FPs, > I'm willing to bet real money that it was the same type. > > Christian > >> -- >> Sent from my iPhone >> >>> On Dec 26, 2016, at 9:27 PM, Christian Balzer <ch...@gol.com> wrote: >>> >>> >>> Hello Al, >>> >>>> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote: >>>> >>>> Although most, if not all the Win.Trojan.Toa old signatures were either >>>> dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so >>>> that would appear to be a new issue. >>>> >>> Be that as it may, I'd say this isn't a new issue as such but a >>> continuation of what is clearly insufficient QA with these signatures. >>> >>> I'd love to be more helpful, but since this are large mails I don't have a >>> complete bounce (Exim suppresses those over 100KB) and I don't have easy >>> access to any of the senders. >>> But it's with near certainty some attachment in a MS file format that >>> triggers these. >>> >>> Regards, >>> >>> Christian >>> >>>> -Al- >>>> >>>>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: >>>>> >>>>> Hello, >>>>> >>>>>> On Mon, 26 Dec 2016 19:21:25 -0000 Steve Basford wrote: >>>>>> >>>>>> >>>>>>> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: >>>>>>> In keeping with the other false positive reports I have more than 400 >>>>>>> CentOS servers report below after yesterday's freshclam update: >>>>>> >>>>>> Yes, nashorn.jar seems to get hit too... >>>>>> >>>>>> eg: >>>>>> >>>>>> fp2\11476331d01: Win.Trojan.Toa-5372078-0 >>>>>> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0 >>>>>> fp2\3A627716d01: Win.Trojan.Toa-5372078-0 >>>>>> fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >>>>>> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0 >>>>>> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0 >>>>>> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0 >>>>>> >>>>>> and the earlier reported FP's are still there: >>>>>> >>>>>> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0 >>>>>> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0 >>>>>> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0 >>>>>> fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 >>>>>> fp\omni.ja: Win.Trojan.Toa-5370166-0 >>>>>> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0 >>>>>> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0 >>>>>> >>>>>> etc. >>>>>> >>>>>> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing >>>>>> done >>>>>> in full after holidays. >>>>>> >>>>> I can only second that. >>>>> And add Win.Trojan.Toa-5368540-0 to the list of FPs. >>>>> >>>>> At this rate the previous bit about "Clamscan becoming its own worst >>>>> enemy." can not be underestimated. >>>>> This is the 2nd, VERY visible FP avalanche in so many months and since it >>>>> affects a lot of people here including internal business mails. >>>>> Reflecting badly on all OSS projects and SW. >>>>> >>>>> Christian >>>>> >>>>>> As the issues go on... >>>>>> >>>>>> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061 >>>>>> >>>>>> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0 >>> >>> >>> -- >>> Christian Balzer Network/Systems Engineer >>> ch...@gol.com Global OnLine Japan/Rakuten Communications >>> http://www.gol.com/ >>> _______________________________________________ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > -- > Christian Balzer Network/Systems Engineer > ch...@gol.com Global OnLine Japan/Rakuten Communications > http://www.gol.com/ _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
