[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

David Shrimpton d.shrimpton at its.uq.edu.au
Tue Sep 27 20:54:13 EDT 2016


On Wed, 28 Sep 2016, Joel Esler (jesler) wrote:

> All -
>
> This signature was my fault.  It has been dropped.  Should drop with the next publish and run of freshclam.
>

Win.Trojan.Agent-1696554 is now dropped.

But, the pdf is now detected as Win.Trojan.Agent-1696579.

Win.Trojan.Agent-1696554 was published in Version: 22229 Sep 21 and is:

4b5acd7f457d05cd4268d56e67dcffb9:4416:Win.Trojan.Agent-1696579

4b5acd7f457d05cd4268d56e67dcffb9 is md5sum of 4416 null bytes .

Clamav --debug --leave-temps   extracts a file pdf78 from the pdf with
4416 null bytes only and this causes the hit on Win.Trojan.Agent-1696554.

Might be something wrong with many more sigs from Version: 22229 ?

Might be worth doing all the null byte files from 1 to X in size
and running clamscan against them.


David Shrimpton



More information about the clamav-users mailing list