[clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Kris Deugau kdeugau at vianet.ca
Wed Dec 28 18:34:16 UTC 2016 

Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter  wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc., https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with macros typically contain an OLE2 file named vbaProject.bin. This signature appears as though it would match all standard Open XML files that contain macros. Examples of false positives should not be necessary to remove this signature:
> 
> Yes, but as mentioned here several times, the vbaProject.bin file can be added to the QA test environment so that future FP's concerning it will no longer be distributed, but only when we submit the file.

To rephrase demonhunter, the signature is on the filename component, not
the content of the file;  it's a generic name for the container for
macro(s) in a current-generation Office document, which happen to
lightly rebranded .zip files.

I've had a report as well;  I don't yet have an example file though.

-kgd



> 
> -Al-
> 
>> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
>> [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
>>
>> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | sigtool --decode-sig
>> VIRUS NAME: Win.Trojan.Toa-5368540-0
>> CONTAINER TYPE: CL_TYPE_ZIP
>> CONTAINER SIZE: ANY
>> FILENAME REGEX: vbaProject\.bin$
>> COMPRESSED FILESIZE: ANY
>> UNCOMPRESSED FILESIZE: ANY
>> ENCRYPTION: IGNORED
>> FILE POSITION: ANY
>> CRC SUM: ANY
>>
>>
>> DH
>>
>>
>> ----- Original Message -----
>> From: "Joel Esler (jesler)" 
>> To: "Adnan de Castro Donato" <adnan.castro at stwbrasil.com>, "ClamAV users ML" <clamav-users at lists.clamav.net>
>> Sent: Tuesday, December 27, 2016 3:25:14 PM
>> Subject: Re: [clamav-users] Probable false positive *.xlsm    -    Win.Trojan.Toa-5368540-0
>>
>> Are you able to submit the files via the website?
>>
>>
>> Sent from my Apple Watch
>>
>> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote:
>>> In keeping with one false positive reports 
>>> I have 8 CentOS servers report below after Signatures Published daily - 22782 update:
>>>
>>> All attachment with extension *.xlsm have the same issue:
>>>
>>> Our content checker found
>>>   virus: Win.Trojan.Toa-5368540-0
>>>
>>> Believe this is a false positive  Would like confirmation and an update if possible
>>>
>>> Thanks.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list