That helps to explain the False Positives seen this week for that signature which caused the ClamXAV developer to immediately ignore that signature before distributing it.
Although the new signature may well be related to a file created by this infector, it appears to be a separate file from the four identified by the hash signatures. -Al- On Fri, Nov 24, 2017 at 07:33 AM, Alain Zidouemba wrote: > They were replaced with: > > Osx.Malware.Proton-6377366-1 > > - Alain > > > On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell <[email protected] > <mailto:[email protected]>> wrote: > >>> Begin forwarded message: >>> >>> From: [email protected] <mailto:[email protected]> >>> Subject: [clamav-virusdb] Signatures Published daily - 24065 >>> Date: November 22, 2017 at 5:10:11 PM PST >>> To: [email protected] <mailto:[email protected]> >>> >>> Dropped Detection Signatures: >>> >>> * Osx.Trojan.Proton-6352640-0 >>> >>> * Osx.Trojan.Proton-6352641-0 >>> >>> * Osx.Trojan.Proton-6352642-0 >>> >>> * Osx.Trojan.Proton-6352643-0 >> >> I'm quite confused and concerned about why these are being dropped. All >> added in daily - 23973, 20 Oct. >> >>> $ sigtool -fOsx.Trojan.Proton-6352640-0 >>> [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton- >> 6352640-0:73 >>> $ sigtool -fOsx.Trojan.Proton-6352641-0 >>> [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton- >> 6352641-0:73 >>> $ sigtool -fOsx.Trojan.Proton-6352642-0 >>> [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton- >> 6352642-0:73 >>> $ sigtool -fOsx.Trojan.Proton-6352643-0 >>> [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton- >> 6352643-0:73 >> >> Two of these are a perfect match for samples I personally have of the >> hijacked Elmedia Player that installed OSX.Proton.C as described in this >> Intego blog: >> <https://www.intego.com/mac-security-blog/osxproton- >> <https://www.intego.com/mac-security-blog/osxproton-> >> malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes >> blog: >> <https://blog.malwarebytes.com/cybercrime/2017/10/mac- >> <https://blog.malwarebytes.com/cybercrime/2017/10/mac-> >> malware-osx-proton-strikes-again/>, among others. >> >> They are all broadly detected on VirusTotal by 30 or more scanners. >> >> VirusTotal >>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10 >>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10> >> 5354888f63c60a3205ade6d467cc620dc5/analysis/> >>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb >>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb> >> d34b1fb1b260a27f40b34718be3b71a3a7/analysis/> >>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637 >>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637> >> 7d39e304651bdd1281c7a7ff15b8f43cad/analysis/> >>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0 >>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0> >> b44905e0308bd3662a496a0701f2ec942d/analysis/> >> >> Can somebody explain why they are being dropped at this time? >> >> -Al- >> -- >> Al Varnell >> Mountain View, CA >> >> >> >> >> >> >> _______________________________________________ >> clamav-users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ > clamav-users mailing list > [email protected] <mailto:[email protected]> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
