Hello.
I just ran a scan on my environment and found that there are no more
problems.
Thank you.
On 2025/03/28 11:57, N.Sakai via clamav-users wrote:
Thank you for your reply.
I asked the owner of this file about it.
He told me that these programs are all provided by IBM, and they are
part of an installer program called IIM (IBM Installation Manager).
https://www.ibm.com/docs/en/installation-manager
These programs are used to install products such as "WebSphere
Application Server" and "IBM HTTP Server", as well as during upgrades
and the application of Fix Packs, so they indeed may exhibit behaviors
that could be considered proxy-like.
The types of programs I am familiar with prove their identity by
attaching a Code Signing Certificate to the program, allowing it to be
confirmed as safe to execute, however, it appears that there is no
such signature on this program.
I hope this helps in your decision-making.
On 2025/03/27 23:47, Jonathan Lee wrote:
Do you mind explaining or expanding on what these two products do in
terms of functionality they could in turn be marked block because
they are being abused on a proxy system for example they’re staging
and or using that product to abuse a proxy and pivot off of it thus
clam antivirus is blocking it
Sent from my iPhone
On Mar 27, 2025, at 01:57, N.Sakai via clamav-users
<clamav-users@lists.clamav.net> wrote:
Hello madam and sir,
We found some files which were detected as
"Win.Malware.Tedy-10043541-0" included
In the signature "Daily.cvd:27583" released on 21 March 2025, on
some servers (Linux, AIX,Windows) that have ClamAV installed.
We checked to see what they were, because two files of the same
malware were detected.
They are launcher programs provided by IBM, and two Windows
executive programs named as "ScriptLauncher64.exe" and
"launchpad64.exe"
The hash values of each are as follows:
a58caf03eaa7fa003e2d020025b5bd95490a1fccc1f5ee7409b37fe6c7e11b220f39513cdf45501402ad9d6158a312e487f43043f10fc452a9fc3100723234fd
ScriptLauncher64.exe
58caf03eaa7fa003e2d020025b5bd95490a1fccc1f5ee7409b37fe6c7e11b220f39513cdf45501402ad9d6158a312e487f43043f10fc452a9fc3100723234fd
launchpad64.exe
Since these are old programs released in 2017 and 2016 respectively,
and are deemed safe by multiple other antivirus software, we believe
that there is a high possibility that they are false positive.
I also submitted a sample from the "False Positive Report" linked
from :
https://www.clamav.net/contact、
but I did not receive any response the email address which I entered
in the form, so we do not know if it was received by you properly.
The form also said, "Refer to [clamav-virusdb] for updates," so we
looked up the email archive, but the updates from the past few days
did not contain any content I am looking for. (If a false positive
is addressed, will it be listed in "Dropped Detection Signatures:" ?)
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
