The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false positive. The signature alerted on a Microsoft Word document. The hash for that document is f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156.
The Word document has a macro that launches powershell, downloads an executable and runs it. On Thu, Feb 15, 2018 at 2:05 PM, Kris Deugau <kdeu...@vianet.ca> wrote: > I've had a customer reporting problems sending a supposedly all-text > (likely actually multipart text+html with no hand-added attachments) > triggering this signature. > > Since it's a hash I'm baffled by what it might be misfiring on in a > legitimate more-or-less text-only message. > > I don't yet have a copy of the message that actually triggered this > signature, and after finally getting a couple of empty test messages they > are of course scanning clean. > > Can anyone give any more detail on what kind of file or file component > this is matching on? All I can see is that it's in daily.hsb, so beyond > the fact that it is a hash of either the whole file or a component of a > Word document containing macros I have no idea what it is, and whether it's > really a FP or not. > > -kgd > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
