[clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Al Varnell
alvarnell at mac.com
Tue Dec 27 22:37:01 UTC 2016
On Dec 27, 2016, at 1:53 PM, demonhunter wrote:
> Office Open XML file format (.doc(x|m), .xls(x|m), etc., https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with macros typically contain an OLE2 file named vbaProject.bin. This signature appears as though it would match all standard Open XML files that contain macros. Examples of false positives should not be necessary to remove this signature:
Yes, but as mentioned here several times, the vbaProject.bin file can be added to the QA test environment so that future FP's concerning it will no longer be distributed, but only when we submit the file.
-Al-
> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
> [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
>
> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | sigtool --decode-sig
> VIRUS NAME: Win.Trojan.Toa-5368540-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: vbaProject\.bin$
> COMPRESSED FILESIZE: ANY
> UNCOMPRESSED FILESIZE: ANY
> ENCRYPTION: IGNORED
> FILE POSITION: ANY
> CRC SUM: ANY
>
>
> DH
>
>
> ----- Original Message -----
> From: "Joel Esler (jesler)"
> To: "Adnan de Castro Donato" <adnan.castro at stwbrasil.com>, "ClamAV users ML" <clamav-users at lists.clamav.net>
> Sent: Tuesday, December 27, 2016 3:25:14 PM
> Subject: Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
>
> Are you able to submit the files via the website?
>
>
> Sent from my Apple Watch
>
> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote:
>> In keeping with one false positive reports
>> I have 8 CentOS servers report below after Signatures Published daily - 22782 update:
>>
>> All attachment with extension *.xlsm have the same issue:
>>
>> Our content checker found
>> virus: Win.Trojan.Toa-5368540-0
>>
>> Believe this is a false positive Would like confirmation and an update if possible
>>
>> Thanks.
More information about the clamav-users
mailing list