Thanks for your reply. You are right, I'm not a native English speaker. I went too fast using automatic translators and I didn't review it enough. :D I forgot to mention that I tested our binary with other antivirus and none of them raised an alert. In the meantime, we will look at your possible solutions.
-----Message d'origine----- De : clamav-users <clamav-users-boun...@lists.clamav.net> De la part de G.W. Haywood via clamav-users Envoyé : lundi 11 avril 2022 10:08 À : alex via clamav-users <clamav-users@lists.clamav.net> Cc : G.W. Haywood <cla...@jubileegroup.co.uk> Objet : ⚠️ Re: [clamav-users] Is the signature "Win.Tool.Hoax-9939325-0" really problematic ? Hi there, On Mon, 11 Apr 2022, alex via clamav-users wrote: > Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0" > on one of our executables. This software was developed by our teams > and has not been modified since 2014. And suddenly, an alert is lifted... On a point of order, in English we would say "an alert is raised". It's clear that you aren't a native English speaker so I understand that the distinction may be a little confusing to you, but I assure you that it's no more confusing to you than "lifted" was to me when first I read it. :) > After some research in the ClamAV VirusDB announcements, I found that > this signature was added on February 18, 2022 ... This begs the question "Why was this almost two months ago?" > We investigated on our side and saw that the alert was lifted because of 5 > subsignatures : > > * OnClientToHostWindowX > * OnDownloadComplete( > * OnFrameNavigateComplete4 > * OnDownloadBegin4 > * OnStatusBar > > These functions come from a Borland library. ... Is the library still supported, e.g. with security fixes? > Does ... "Win.Tool.Hoax-9939325-0" detect something really problematic > that can compromise our system via our executable? I doubt it, but I'd imagine you should wait for feedback from the signature team. They're very busy so it might take a while. Other readers of this list might have some observations. > Is there a way to bypass the lifting of this signature, without > completely ignoring it, if it ultimately proves useful against other > files? Not directly in ClamAV, but you could either (1) ensure that whatever feeds files/directories/data to the scanner ignores your binary (see docs); or (2) whitelist the signature as a false positive (see docs) and then, optionally, create your own signature which is based on this one but which specifically avoids flagging your binary. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://urldefense.com/v3/__https://lists.clamav.net/mailman/listinfo/clamav-users__;!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjcpc-o6a$ Help us build a comprehensive ClamAV guide: https://urldefense.com/v3/__https://github.com/vrtadmin/clamav-faq__;!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjcgSgAbl$ https://urldefense.com/v3/__http://www.clamav.net/contact.html*ml__;Iw!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjVCTtvny$ ⚠️ This symbol is automatically added to emails originating from outside of the organization. Be extra careful with hyperlinks and attachments. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
