[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

Joel Esler (jesler) jesler at cisco.com
Tue Sep 27 21:01:12 EDT 2016


These signatures were generated out of attachments to know bad spam files.   We'll have a look.  

Sent from my iPhone

> On Sep 27, 2016, at 8:54 PM, David Shrimpton <d.shrimpton at its.uq.edu.au> wrote:
> 
>> On Wed, 28 Sep 2016, Joel Esler (jesler) wrote:
>> 
>> All -
>> 
>> This signature was my fault.  It has been dropped.  Should drop with the next publish and run of freshclam.
>> 
> 
> Win.Trojan.Agent-1696554 is now dropped.
> 
> But, the pdf is now detected as Win.Trojan.Agent-1696579.
> 
> Win.Trojan.Agent-1696554 was published in Version: 22229 Sep 21 and is:
> 
> 4b5acd7f457d05cd4268d56e67dcffb9:4416:Win.Trojan.Agent-1696579
> 
> 4b5acd7f457d05cd4268d56e67dcffb9 is md5sum of 4416 null bytes .
> 
> Clamav --debug --leave-temps   extracts a file pdf78 from the pdf with
> 4416 null bytes only and this causes the hit on Win.Trojan.Agent-1696554.
> 
> Might be something wrong with many more sigs from Version: 22229 ?
> 
> Might be worth doing all the null byte files from 1 to X in size
> and running clamscan against them.
> 
> 
> David Shrimpton
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list