[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

Al Varnell alvarnell at mac.com
Tue Sep 27 04:44:01 EDT 2016


The signature is based on a 2240 byte file, so it is probably something embedded in the PDF.

In any case, it needs to be uploaded to <http://www.clamav.net/reports/fp>. Is the MD5 of the entire PDF 013167adb9fbc93923f9c0789599ec95, because Steve and I aren’t finding anything on VT with any detections with that MD5?

-Al-

On Tue, Sep 27, 2016 at 12:39 AM, David Shrimpton wrote:
> 
> Hi, 
> 
> Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an
> md5sum of a file containing 2240 null bytes only, so appears
> to be a broken signature. 
> 
> It is causing false positives.
> 
> The example I have was a FP on a 944010 byte pdf which comes up
> negative on virustotal except for clamav.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3573 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160927/2d89ecc5/attachment.bin>


More information about the clamav-users mailing list