I just uploaded an application which falsely shows two components to be infected with this new signature: d075a7fb237c0f250d713ddfd53ef354:21313752:istatmenus6.0.zip
I have at least one other app with the same FP. -Al- On Fri, Nov 24, 2017 at 04:47 PM, Al Varnell wrote: > That helps to explain the False Positives seen this week for that signature > which caused the ClamXAV developer to immediately ignore that signature > before distributing it. > > Although the new signature may well be related to a file created by this > infector, it appears to be a separate file from the four identified by the > hash signatures. > > -Al- > > On Fri, Nov 24, 2017 at 07:33 AM, Alain Zidouemba wrote: >> They were replaced with: >> >> Osx.Malware.Proton-6377366-1 >> >> - Alain >> >> >> On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> wrote: >> >>>> Begin forwarded message: >>>> >>>> From: [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>> >>>> Subject: [clamav-virusdb] Signatures Published daily - 24065 >>>> Date: November 22, 2017 at 5:10:11 PM PST >>>> To: [email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> >>>> Dropped Detection Signatures: >>>> >>>> * Osx.Trojan.Proton-6352640-0 >>>> >>>> * Osx.Trojan.Proton-6352641-0 >>>> >>>> * Osx.Trojan.Proton-6352642-0 >>>> >>>> * Osx.Trojan.Proton-6352643-0 >>> >>> I'm quite confused and concerned about why these are being dropped. All >>> added in daily - 23973, 20 Oct. >>> >>>> $ sigtool -fOsx.Trojan.Proton-6352640-0 >>>> [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton- >>> 6352640-0:73 >>>> $ sigtool -fOsx.Trojan.Proton-6352641-0 >>>> [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton- >>> 6352641-0:73 >>>> $ sigtool -fOsx.Trojan.Proton-6352642-0 >>>> [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton- >>> 6352642-0:73 >>>> $ sigtool -fOsx.Trojan.Proton-6352643-0 >>>> [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton- >>> 6352643-0:73 >>> >>> Two of these are a perfect match for samples I personally have of the >>> hijacked Elmedia Player that installed OSX.Proton.C as described in this >>> Intego blog: >>> <https://www.intego.com/mac-security-blog/osxproton- >>> <https://www.intego.com/mac-security-blog/osxproton-> >>> <https://www.intego.com/mac-security-blog/osxproton- >>> <https://www.intego.com/mac-security-blog/osxproton->> >>> malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes >>> blog: >>> <https://blog.malwarebytes.com/cybercrime/2017/10/mac- >>> <https://blog.malwarebytes.com/cybercrime/2017/10/mac-> >>> <https://blog.malwarebytes.com/cybercrime/2017/10/mac- >>> <https://blog.malwarebytes.com/cybercrime/2017/10/mac->> >>> malware-osx-proton-strikes-again/>, among others. >>> >>> They are all broadly detected on VirusTotal by 30 or more scanners. >>> >>> VirusTotal >>>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10 >>>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10> >>>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10 >>>> <https://www.virustotal.com/en/file/2e6bb8fd7f983dd06fa0c5314a7b10>> >>> 5354888f63c60a3205ade6d467cc620dc5/analysis/> >>>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb >>>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb> >>>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb >>>> <https://www.virustotal.com/en/file/2ec4b1705b690ab8c558e3e8ead8bb>> >>> d34b1fb1b260a27f40b34718be3b71a3a7/analysis/> >>>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637 >>>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637> >>>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637 >>>> <https://www.virustotal.com/en/file/553496aa878821295de7acdd20d637>> >>> 7d39e304651bdd1281c7a7ff15b8f43cad/analysis/> >>>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0 >>>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0> >>>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0 >>>> <https://www.virustotal.com/en/file/4d33f4a3c1cbf9cded6a3a096025d0>> >>> b44905e0308bd3662a496a0701f2ec942d/analysis/> >>> >>> Can somebody explain why they are being dropped at this time? >>> >>> -Al- >>> -- >>> Al Varnell >>> Mountain View, CA >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> clamav-users mailing list >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users> >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> _______________________________________________ >> clamav-users mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users> >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > -Al- -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
