[clamav-users] [lxwaldivm-005] Virus detected in E-mail <-- False positive
Al Varnell
alvarnell at mac.com
Tue Dec 5 07:05:24 UTC 2017
That said, here is some info on the signature itself.
It was added to the ClamAV database on Oct 3 of this year. It appears to be malformed in the first subsig where the Offset and Sigmod are missing and the signature shown as offset:
$ sigtool -fEmail.Phishing.VOF2-6336843-0|sigtool --decode-sigs
VIRUS NAME: Email.Phishing.VOF2-6336843-0
TDB: Engine:81-255,Target:4
LOGICAL EXPRESSION: 1
* SUBSIG ID 0
+-> OFFSET: 436f6e74656e742d446973706f736974696f6e3a
+-> SIGMOD:
+-> DECODED SUBSIGNATURE:
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: 0
+-> REGEX: filename <redacted to prevent this e-mail from being judged as infected>
+-> CFLAGS: (null)
ClamAV is the only scanner on VirusTotal that believes this file to be infected:
<https://www.virustotal.com/en/file/02d9e26a11faf5a0a5fb6ce274738d9d83734d6aa78172f27c55628721ee4f79/analysis/1512451286/>.
-Al-
On Mon, Dec 04, 2017 at 09:19 PM, Al Varnell wrote:
> Never include suspected malware (or unproven false positives) or links thereto to this list. Upload it to <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp> <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>>> and post a hash value here with an explanation as to why you suspect it to be a False Positive.
>
> -Al-
>
> On Mon, Dec 04, 2017 at 08:47 PM, Walter H. wrote:
>> see attached file/mail ...
>>
>> Walter
>> <virus.g5hIXb>_______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> <mailto:clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171204/bb739dd7/attachment.bin>
More information about the clamav-users
mailing list