Can confirm. Win.Malware.Generic-9937882-0 was dropped from the daily CVD earlier today.
On Mon, Jan 31, 2022 at 8:54 AM Maarten Broekman via clamav-users < clamav-users@lists.clamav.net> wrote: > Looks like the signature was dropped already because sigtool doesn't find > it anymore after I updated the databases through freshclam. > > --Maarten > > On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users < > clamav-users@lists.clamav.net> wrote: > >> Well yes, the fact that it was the only scanner would be an indicator of >> at least a possible False Positive. >> >> Next a check to see when that signature was added shows that it was just >> yesterday and further that it was dropped today, so clearly an indication >> that it was found to be incorrect. Updating your daily signature database >> should eliminate the finding and you can get back to more important work. >> >> And if step three were necessary, I would take a look at the signature >> itself to see if it’s focused enough. Here’s what it looks like: >> >> sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs >> VIRUS NAME: Win.Malware.Generic-9937882-0 >> TDB: Engine:81-255,Target:1 >> LOGICAL EXPRESSION: 0&1&2&3&4 >> * SUBSIG ID 0 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> Expected to find a command ending in '.exe' in shebang line: %ls >> * SUBSIG ID 1 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> Terminating quote without starting quote for executable in shebang line: >> %ls >> * SUBSIG ID 2 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> Expected terminating double-quote for executable in shebang line: %ls >> * SUBSIG ID 3 >> +-> OFFSET: ANY >> +-> SIGMOD: WIDE >> +-> DECODED SUBSIGNATURE: >> Unable to create process using '%ls': %ls >> * SUBSIG ID 4 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> Unable to find executable in environment: %ls >> >> So it’s looking for all five ascii strings indicated, which might have >> been enough to uniquely identify whatever windows file that is, but >> apparently either that file was misidentified as being malware or those >> strings are common to both the malware and your python lib. >> >> -Al- >> >> On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users < >> clamav-users@lists.clamav.net> wrote: >> >> FP confirmed (I guess) : >> >> https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d >> >> >> Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit : >> >> First I would upload the file to https://virustotal.com to see if any >> other scanners identify the file as malware. >> >> Sent from my iPad >> >> -Al- >> >> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users < >> clamav-users@lists.clamav.net> wrote: >> >> >> >> >> Hello, i hope everyone is well. >> >> >> while scanning my database vps clamav found Win.Malware.Generic-9937882-0 >> >> on >> /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, >> the server is running Centos 7 so a win based malware not likely dangerous >> but it makes me wonder, is it a malware or is it a false positive? >> >> >> I am new to all this so i would like some guidelines as to what should i >> check and how should i proceed... >> >> >> thanks in advance, >> >> N. Theofanidis >> >> >> >> _______________________________________________ >> >> >> clamav-users mailing list >> >> clamav-users@lists.clamav.net >> >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> >> Help us build a comprehensive ClamAV guide: >> >> https://github.com/vrtadmin/clamav-faq >> >> >> http://www.clamav.net/contact.html#ml >> >> _______________________________________________ >> >> clamav-users mailing list >> >> clamav-users@lists.clamav.net >> >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> Help us build a comprehensive ClamAV guide: >> >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> >> >> -- >> Cordialement / Best regards, >> >> Arnaud Jacques >> Gérant de SecuriteInfo.com >> >> Téléphone : +33-(0)3.60.47.09.81 >> E-mail : a...@securiteinfo.com <a...@securiteinfo.com> >> Site web : https://www.securiteinfo.com >> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 >> Twitter : @SecuriteInfoCom >> Signatures for ClamAV antivirus : http://ow.ly/LqfdL >> >> _______________________________________________ >> >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> >> >> Powered by Mailbutler, the email extension that does it all: >> https://www.mailbutler.io >> >> >> _______________________________________________ >> >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Christopher Marczewski Research Engineer, Talos Cisco Systems 443-832-2975
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
