Thaks for that. Took me a bit to realize I had to unpack the .ppam file to find the match.
I'm still curious to know why that file got marked as bad. If there is a specific cause for concern - or just that it is a 'suspicious' set of macros as olevba shows: | Suspicious | Kill | May delete a file | Suspicious | Chr | May attempt to obfuscate specific | | | strings (use option --deobf to | | | deobfuscate) | Suspicious | Open | May open a file | Suspicious | shell | May run an executable file or a syste | | | command .... On 01/30/2018 05:17 PM, Al Varnell wrote: > It's an MD5 hash/file size match: > > sigtool -fDoc.Dropper.Agent-6384732-0 > [daily.hsb] > cb501b0f7d2a700c06ec6733c71558bf:772096:Doc.Dropper.Agent-6384732-0:73 > > -Al- > ClamXAV User > > On Tue, Jan 30, 2018 at 08:50 AM, Orion Poplawski wrote: >> How can I determine what exactly is triggering a match? >> >> $ clamscan IguanaTex_v1_55.ppam >> IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND >> >> I'd like to know what exactly was matched, but I'm not being able to find >> where the source for the virus definitions are. > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
