[clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
demonhunter
demonhunter at counterchaos.com
Tue Dec 27 21:53:32 UTC 2016
Office Open XML file format (.doc(x|m), .xls(x|m), etc., https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with macros typically contain an OLE2 file named vbaProject.bin. This signature appears as though it would match all standard Open XML files that contain macros. Examples of false positives should not be necessary to remove this signature:
$ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
[daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
$ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | sigtool --decode-sig
VIRUS NAME: Win.Trojan.Toa-5368540-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: vbaProject\.bin$
COMPRESSED FILESIZE: ANY
UNCOMPRESSED FILESIZE: ANY
ENCRYPTION: IGNORED
FILE POSITION: ANY
CRC SUM: ANY
DH
----- Original Message -----
From: "Joel Esler (jesler)" <jesler at cisco.com>
To: "Adnan de Castro Donato" <adnan.castro at stwbrasil.com>, "ClamAV users ML" <clamav-users at lists.clamav.net>
Sent: Tuesday, December 27, 2016 3:25:14 PM
Subject: Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Are you able to submit the files via the website?
--
Sent from my Apple Watch
On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato <adnan.castro at stwbrasil.com> wrote:
>
> In keeping with one false positive reports
> I have 8 CentOS servers report below after Signatures Published daily - 22782 update:
>
> All attachment with extension *.xlsm have the same issue:
>
> Our content checker found
> virus: Win.Trojan.Toa-5368540-0
>
>
> Believe this is a false positive Would like confirmation and an update if possible
>
> Thanks.
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list