It is possible, using a service we have here: https://talosintelligence.com/sha_searches <https://talosintelligence.com/sha_searches>
To look up some additional details about files, if interested. SHA256 required. -- Joel Esler | Talos: Manager | jes...@cisco.com <mailto:jes...@cisco.com> > On Feb 15, 2018, at 3:23 PM, Alain Zidouemba <azidoue...@sourcefire.com> > wrote: > > The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false > positive. The signature alerted on a Microsoft Word document. The hash for > that document is > f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156. > > The Word document has a macro that launches powershell, downloads an > executable and runs it. > > On Thu, Feb 15, 2018 at 2:05 PM, Kris Deugau <kdeu...@vianet.ca> wrote: > >> I've had a customer reporting problems sending a supposedly all-text >> (likely actually multipart text+html with no hand-added attachments) >> triggering this signature. >> >> Since it's a hash I'm baffled by what it might be misfiring on in a >> legitimate more-or-less text-only message. >> >> I don't yet have a copy of the message that actually triggered this >> signature, and after finally getting a couple of empty test messages they >> are of course scanning clean. >> >> Can anyone give any more detail on what kind of file or file component >> this is matching on? All I can see is that it's in daily.hsb, so beyond >> the fact that it is a hash of either the whole file or a component of a >> Word document containing macros I have no idea what it is, and whether it's >> really a FP or not. >> >> -kgd >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
