[clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Christian Balzer chibi at gol.com
Tue Dec 27 04:08:22 UTC 2016 

Hello,

On Tue, 27 Dec 2016 03:06:31 +0000 Joel Esler (jesler) wrote:

> We QA against thousands of clean files for each signature.  But we don't have s copy of every foe in the world to QA against.  
> 
> When people send in false positives, if we determine them to be actually clean, we add them to the FP farm as well.  That's why FPs are important to send in, not just to clean current FPs, but to prevent future ones.   
>

Don't have a sample (confidential file), but I have confirmation that this
was indeed an Excel .xlsm file.
Given the senders/recipients of the other Win.Trojan.Toa-5368540-0 FPs,
I'm willing to bet real money that it was the same type.

Christian

> --
> Sent from my iPhone
> 
> > On Dec 26, 2016, at 9:27 PM, Christian Balzer <chibi at gol.com> wrote:
> > 
> > 
> > Hello Al,
> > 
> >> On Mon, 26 Dec 2016 17:52:53 -0800 Al Varnell wrote:
> >> 
> >> Although most, if not all the Win.Trojan.Toa old signatures were either dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would appear to be a new issue.
> >> 
> > Be that as it may, I'd say this isn't a new issue as such but a
> > continuation of what is clearly insufficient QA with these signatures.
> > 
> > I'd love to be more helpful, but since this are large mails I don't have a
> > complete bounce (Exim suppresses those over 100KB) and I don't have easy
> > access to any of the senders.
> > But it's with near certainty some attachment in a MS file format that
> > triggers these.
> > 
> > Regards,
> > 
> > Christian
> > 
> >> -Al-
> >> 
> >>> On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote:
> >>> 
> >>> Hello,
> >>> 
> >>>> On Mon, 26 Dec 2016 19:21:25 -0000 Steve Basford wrote:
> >>>> 
> >>>> 
> >>>>> On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> >>>>> In keeping with the other false positive reports I have more than 400
> >>>>> CentOS servers report below after yesterday's freshclam update:
> >>>> 
> >>>> Yes, nashorn.jar seems to get hit too...
> >>>> 
> >>>> eg:
> >>>> 
> >>>> fp2\11476331d01: Win.Trojan.Toa-5372078-0
> >>>> fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
> >>>> fp2\3A627716d01: Win.Trojan.Toa-5372078-0
> >>>> fp2\firefox-hotfix at mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> >>>> fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
> >>>> fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
> >>>> fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0
> >>>> 
> >>>> and the earlier reported FP's are still there:
> >>>> 
> >>>> fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
> >>>> fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
> >>>> fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
> >>>> fp\loop at mozilla.org.xpi: Win.Trojan.Toa-5370166-0
> >>>> fp\omni.ja: Win.Trojan.Toa-5370166-0
> >>>> fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
> >>>> fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0
> >>>> 
> >>>> etc.
> >>>> 
> >>>> IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done
> >>>> in full after holidays.
> >>>> 
> >>> I can only second that.
> >>> And add Win.Trojan.Toa-5368540-0 to the list of FPs.
> >>> 
> >>> At this rate the previous bit about "Clamscan becoming its own worst
> >>> enemy." can not be underestimated.
> >>> This is the 2nd, VERY visible FP avalanche in so many months and since it
> >>> affects a lot of people here including internal business mails.
> >>> Reflecting badly on all OSS projects and SW.
> >>> 
> >>> Christian
> >>> 
> >>>> As the issues go on...
> >>>> 
> >>>> https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56&showtopic=363061
> >>>> 
> >>>> https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0
> > 
> > 
> > -- 
> > Christian Balzer        Network/Systems Engineer                
> > chibi at gol.com       Global OnLine Japan/Rakuten Communications
> > http://www.gol.com/
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > 
> > 
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


-- 
Christian Balzer        Network/Systems Engineer                
chibi at gol.com   	Global OnLine Japan/Rakuten Communications
http://www.gol.com/

More information about the clamav-users mailing list