Thank you for your reply.
I asked the owner of this file about it.
He told me that these programs are all provided by IBM, and they are
part of an installer program called IIM (IBM Installation Manager).
https://www.ibm.com/docs/en/installation-manager
These programs are used to install products such as "WebSphere
Application Server" and "IBM HTTP Server", as well as during upgrades
and the application of Fix Packs, so they indeed may exhibit behaviors
that could be considered proxy-like.
The types of programs I am familiar with prove their identity by
attaching a Code Signing Certificate to the program, allowing it to be
confirmed as safe to execute, however, it appears that there is no such
signature on this program.
I hope this helps in your decision-making.
On 2025/03/27 23:47, Jonathan Lee wrote:
Do you mind explaining or expanding on what these two products do in terms of
functionality they could in turn be marked block because they are being abused
on a proxy system for example they’re staging and or using that product to
abuse a proxy and pivot off of it thus clam antivirus is blocking it
Sent from my iPhone
On Mar 27, 2025, at 01:57, N.Sakai via clamav-users
<clamav-users@lists.clamav.net> wrote:
Hello madam and sir,
We found some files which were detected as "Win.Malware.Tedy-10043541-0"
included
In the signature "Daily.cvd:27583" released on 21 March 2025, on some servers
(Linux, AIX,Windows) that have ClamAV installed.
We checked to see what they were, because two files of the same malware were
detected.
They are launcher programs provided by IBM, and two Windows executive programs named as
"ScriptLauncher64.exe" and "launchpad64.exe"
The hash values of each are as follows:
a58caf03eaa7fa003e2d020025b5bd95490a1fccc1f5ee7409b37fe6c7e11b220f39513cdf45501402ad9d6158a312e487f43043f10fc452a9fc3100723234fd
ScriptLauncher64.exe
58caf03eaa7fa003e2d020025b5bd95490a1fccc1f5ee7409b37fe6c7e11b220f39513cdf45501402ad9d6158a312e487f43043f10fc452a9fc3100723234fd
launchpad64.exe
Since these are old programs released in 2017 and 2016 respectively, and are
deemed safe by multiple other antivirus software, we believe that there is a
high possibility that they are false positive.
I also submitted a sample from the "False Positive Report" linked from :
https://www.clamav.net/contact、
but I did not receive any response the email address which I entered in the
form, so we do not know if it was received by you properly.
The form also said, "Refer to [clamav-virusdb] for updates," so we looked up the email
archive, but the updates from the past few days did not contain any content I am looking for. (If a
false positive is addressed, will it be listed in "Dropped Detection Signatures:" ?)
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
