Re: [clamav-users] Different results: Clamscan vs ClamWin

Wed, 03 May 2017 02:39:07 -0700 

Not sure what you mean by "MD5 match" but the signature is a complex logical 
one, not a hash:

> $ sigtool --find Win.Dropper.Gephys-6117417-0|sigtool --decode-sig
> VIRUS NAME: Win.Dropper.Gephys-6117417-0
> TDB: Engine:51-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4&5&6&7&8&9
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> 8becb8000040005d
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> 8b45088945f88b4d
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> c745fc00000000eb
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> 40005dc3cccccccc
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> cccccc558bec51c7
>  * SUBSIG ID 5
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> ffffff8be55dc3cc
>  * SUBSIG ID 6
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> 0085c0740733c0e9
>  * SUBSIG ID 7
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> ffff8be55dc3cccc
> * SUBSIG ID 8
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> SUBSIGNATURE:
> cc558bec51c745fc
>  * SUBSIG ID 9
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> TVirtu

-Al-

On Wed, May 03, 2017 at 01:12 AM, Peter B. wrote:
> 
> Thanks for your replies!
> 
> On 05/03/2017 02:18 AM, Joel Esler (jesler) wrote:
>> First thing I notice is that you are running two different versions of 
>> ClamAV.  
> 
> I know, but:
>    *) v0.99.1 is the most recent version of ClamWin, so I can't go higher
>    *) ClamWin also detected the virus with v0.98.x
>    *) I'd assume that if that version would matter, it'd rather be
> v0.99.2 (Clamav Linux) that would detect the virus - not the other way
> around. Right?
> 
> 
> About hashcodes: MD5 match.
> Virus encountered: "Win.Dropper.Gephys-6117417-0"
> 
> 
> Thanks again,
> Peter

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to