[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

David Shrimpton d.shrimpton at its.uq.edu.au
Tue Sep 27 04:55:09 EDT 2016


> 
> Confirmed FP I would say:
> 
> https://virustotal.com/en/file/2f7eaacf490839d9c603736149286272aea4df46c0daf58f0c70062041c68230/analysis/
> 
> 

Agreed, above being   the sha256sum  of 2240 null bytes.


The hit on the null bytes could of course be masking actual malware
in the same container the file of nulls came from .
Presumeably clamav is missing a signature for the original malware
that prompted the broken signature.

So my pdf might still contain malware and whitelisting the sig
while logical might lead to an unfortunate result for anyone then receiving
and opening the same pdf.



-- 
David Shrimpton



More information about the clamav-users mailing list