[clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

Thu Dec 29 02:54:04 UTC 2016

On Dec 28, 2016, at 2:13 PM, Groach wrote:
> Ok, I know it has already been mentioned before in another 2 threads but it seems once again Joel is dismissing the claims or the responsibilities of it being damaging to peoples systems (regularly quarantining genuine files and emails) and instead expects everyone to keep sending in FP reports for every spreadsheet or file that gets hit by this rogue signature.  Not only is this impractical, its often impossible due to quantity and least of all data sensitivity issues.  I have them every day.  Ive submitted FP reports, Ive watched others raise the issue too, Ive waited a week but still it goes on.
> 
> Many have called for it to be reviewed, modified or removed - even people such as Steve Basford who is respected in providing signatures of his own:
> 
> "IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done in full after holidays."

Over 11,000 of them were dropped several days ago, but a few were added at the same time. I have no idea what the status of those new ones are and maybe I've lost track, but I believe only one of the new ones has been brought up here.

Since all signatures are put through their QA process before release, I'm not clear on what it is you are proposing.

> http://lists.clamav.net/pipermail/clamav-users/2016-December/003932.html and so on.
> 
> The cause of the problem has even been identified (vbaproject.bin http://lists.clamav.net/pipermail/clamav-users/2016-December/003945.html) but still no acknowledgement and it continues.
> 
> So it leaves me with the thread title...
> 
> ...just dump this signature.  Learn that when HUNDREDS or thousands of files are incorrectly being hit then acknowledge there is something wrong with it!  Consider it a QA failure.  What else do you need to see before things are seen for what they are?!

I believe the problem has been identified earlier today as being that all 'vbaproject.bin' are being identified as infected. Whether that should be true or not seems doubtful, but only conjecture so far. You are probably right, but the decision is ultimately the signature team's based on the evidence presented and their knowledge of what the threat is. I have no idea what the latter is.

-Al-