[Clamav-devel] More issues with 0.99.3 beta 1
smorgan at sourcefire.com
Tue Aug 15 11:53:04 EDT 2017
Thanks, we are also observing these same FP's in our testing. They are on
the roadmap for 0.99.3.
On Tue, Aug 15, 2017 at 6:34 AM, Mark Allan <markjallan at gmail.com> wrote:
> I have two files which are being wrongly reported as infected by 0.99.3
> beta 1. ClamAV 0.99.2 doesn't detect any issues with the files.
> The first is a single email file (extension .emlx) with md5 checksum of
> 245ec37768c235da265014add38bdf4d and a file size of 2777 bytes. It's
> being detected as Win.Trojan.Agent-6319774-0 which has the following
> signature in daily.cvd
> [daily.hsb] 6f8f57715090da2632453988d9a1501b:1:Win.Trojan.Agent-6319774-
> Three things strike me as odd about this:
> 1) The length of that hash surely matches md5 rather than sha1/sha256 and
> therefore ought to be in an hdb file rather than hsb?
> 2) It specifies a length of 1 byte, but also has :73 at the end which
> means "file size unknown".
> 3) The hash doesn't even match the hash of the email file in question.
> FWIW 163 other different email files are also triggering the same infection
> on 0.99.3 but not 0.99.2
> Wouldn't either of the first two be enough for the sig to be marked as
> Lastly, why are ClamAV 0.99.2 and 0.99.3 treating that signature
> The other file is a PDF being wrongly detected as
> Win.Trojan.Agent-5520346-0. It appears to have the same issue with the
> signature definition inside daily.hsb, and also the file hash (
> c6721e7c77846b5a1d0efe3a708d8dc7) doesn't match the signature hash but is
> still being detected by 0.99.3 That hash can be found on VirusTotal with
> zero other detections.
> [daily.hsb] 8fa14cdd754f91cc6554c9e71929cce7:1:Win.Trojan.Agent-5520346-
> While I could just add those two signatures to a local exclude file, I
> suspect there may be a bigger issue at play with 0.99.3
> Hope this is helpful.
More information about the clamav-devel