$ sigtool --find Win.Trojan.Agent-793284 [main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284
Since it's in the main database, it's relatively old. It's looking for a file of size 28672 with the MD5 hash shown. If it had been a more complex signature, then sigtool --find <InfectionName>|sigtool --decode-sigs would do what you are looking for. Not much to prove a false positive that I can see. -Al- On Thu, Feb 09, 2017 at 05:12 AM, Brad Scalio wrote: > > Clamscan found a PE "visor.exe.svn-base" that matched > Win.Trojan.Agent-793284 FOUND. > > That said, ran it through virustotal.com with results here > https://goo.gl/flJl6j > > I know pasting a shortened URL in a AV mailing list :-) > > 11 of 56 scanners detect a signature, however the file in question is on a > linux system, and hasn't been touched since 2010, and so I am not too > worried as it's a homogeneous local LAN of all linux systems, it's just the > first time we've ran a clamscan on this box. > > Is there a way, or an online tutorial, or some other information to > decompose the signature and the file easily to determine if it's a false > positive or not? I realize this is a complete science in and of itself, > but I am looking for a way for our tier 0 folks to quickly discern if they > need to wake up the whole enterprise at 3am in the future. > > Thanks much!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
