[clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Thu Mar 31 05:44:56 UTC 2016

This appears to be both a legitimate test file (wintest.py) and a useful 
signature. Clamav has a built-in solution for resolving these conflicts. You 
create a *.fp file that contains the checksum of the specific file and it will 
be ignored after the next reload.

sigtool --md5 wintest.py >sambatest.fp

Place the resulting file in the clamav sig directory and reload.

Sometimes these things happen.

dp

On 3/30/16 7:00 PM, Al Varnell wrote:
> With all the name changing that happened in the new database, I don’t think I can come close to guessing how old the signature might be.
>
> It is in Extended Signature Format (.ndb) looking for an ASCII text file (normalized) with any offset and an ASCII string of:
>
> netsh firewall set_opmode mode = disable
>
> except that I substituted an underscore “_" for one space to prevent a copy from this e-mail from being identified as infected.
>
> I have confirmed that the wintest.py file does contain this string and that there is no subsequent command to re-enable the firewall
>
> I’ll have to let those familiar with how advisable it is to disabling the firewall on a Windows machine would be under these circumstances.
>
> -Al-
>
> On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote:
>> The only file that was flagged as containing a virus (trojan) was
>> "wintest.py" in the "wintest" directory of the Samba source code. This
>> sounds like it's only a file for testing Samba (when built for
>> Windows?), and, unless it's something really sneaky, shouldn't be able
>> to affect a running Samba.
>>
>> The bug is called "BadLock", and, since Microsoft is working on it too,
>> I'd guess it's an SMB protocol bug. Furthermore, some years ago MS was
>> stonewalling Samba. If it were a Samba-only bug, MS probably wouldn't
>> actively work on it, but rather would use it to tout the advantages of
>> Windows Server.
>>
>> Paul Kosinski
>>
>> On Thu, 31 Mar 2016 10:51:55 +1100
>> Andrew McGlashan <andrew.mcglashan at affinityvision.com.au> wrote:
>>
>>>
>>> On 31/03/2016 5:32 AM, Alain Zidouemba wrote:
>>>> Paul:
>>>>
>>>> Thanks for reporting this FP. This will be fixed momentarily.
>>> Is it really a false positive?
>>>
>>> There has been a heads up that SAMBA code has a problem and that both
>>> Microsoft and Samba are working on a solution that will be released on
>>> the next patch Tuesday.....
>>>
>>> That download could be part of this somehow, I don't know.  But it
>>> shouldn't blindly be considered a FP, that's for sure!
>>>
>>>> - Alain
>>>>
>>>> On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
>>>> <clamav-users at iment.com> wrote:
>>>>
>>>>> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org,
>>>>> and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports
>>>>> that the gz file contains Win.Trojan.Qhost-106. In particular, the
>>>>> single file wintest.py in the subdirectory wintest is reported.
>>> Kind Regards
>>> AndrewM
>>>
>>>
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml