Hi there, On Mon, 11 Apr 2022, alex via clamav-users wrote:
Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0" on one of our executables. This software was developed by our teams and has not been modified since 2014. And suddenly, an alert is lifted...
On a point of order, in English we would say "an alert is raised". It's clear that you aren't a native English speaker so I understand that the distinction may be a little confusing to you, but I assure you that it's no more confusing to you than "lifted" was to me when first I read it. :)
After some research in the ClamAV VirusDB announcements, I found that this signature was added on February 18, 2022 ...
This begs the question "Why was this almost two months ago?"
We investigated on our side and saw that the alert was lifted because of 5 subsignatures : * OnClientToHostWindowX * OnDownloadComplete( * OnFrameNavigateComplete4 * OnDownloadBegin4 * OnStatusBar These functions come from a Borland library. ...
Is the library still supported, e.g. with security fixes?
Does ... "Win.Tool.Hoax-9939325-0" detect something really problematic that can compromise our system via our executable?
I doubt it, but I'd imagine you should wait for feedback from the signature team. They're very busy so it might take a while. Other readers of this list might have some observations.
Is there a way to bypass the lifting of this signature, without completely ignoring it, if it ultimately proves useful against other files?
Not directly in ClamAV, but you could either (1) ensure that whatever feeds files/directories/data to the scanner ignores your binary (see docs); or (2) whitelist the signature as a false positive (see docs) and then, optionally, create your own signature which is based on this one but which specifically avoids flagging your binary. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
