[Clamav-devel] More issues with 0.99.3 beta 1

Mark Allan markjallan at gmail.com
Tue Aug 15 06:34:07 EDT 2017


I have two files which are being wrongly reported as infected by 0.99.3 beta 1.  ClamAV 0.99.2 doesn't detect any issues with the files.

The first is a single email file (extension .emlx) with md5 checksum of 245ec37768c235da265014add38bdf4d and a file size of 2777 bytes. It's being detected as Win.Trojan.Agent-6319774-0 which has the following signature in daily.cvd

[daily.hsb] 6f8f57715090da2632453988d9a1501b:1:Win.Trojan.Agent-6319774-0:73

Three things strike me as odd about this:
1) The length of that hash surely matches md5 rather than sha1/sha256 and therefore ought to be in an hdb file rather than hsb?
2) It specifies a length of 1 byte, but also has :73 at the end which means "file size unknown".
3) The hash doesn't even match the hash of the email file in question. FWIW 163 other different email files are also triggering the same infection on 0.99.3 but not 0.99.2

Wouldn't either of the first two be enough for the sig to be marked as corrupt?

Lastly, why are ClamAV 0.99.2 and 0.99.3 treating that signature differently?


The other file is a PDF being wrongly detected as Win.Trojan.Agent-5520346-0. It appears to have the same issue with the signature definition inside daily.hsb, and also the file hash (c6721e7c77846b5a1d0efe3a708d8dc7) doesn't match the signature hash but is still being detected by 0.99.3 That hash can be found on VirusTotal with zero other detections.

[daily.hsb] 8fa14cdd754f91cc6554c9e71929cce7:1:Win.Trojan.Agent-5520346-0:73

While I could just add those two signatures to a local exclude file, I suspect there may be a bigger issue at play with 0.99.3

Hope this is helpful.

Mark



More information about the clamav-devel mailing list