[clamav-users] How to determine false-v-real FOUND
Al Varnell
alvarnell at mac.com
Thu Feb 9 13:54:14 UTC 2017
$ sigtool --find Win.Trojan.Agent-793284
[main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284
Since it's in the main database, it's relatively old.
It's looking for a file of size 28672 with the MD5 hash shown.
If it had been a more complex signature, then sigtool --find <InfectionName>|sigtool --decode-sigs would do what you are looking for.
Not much to prove a false positive that I can see.
-Al-
On Thu, Feb 09, 2017 at 05:12 AM, Brad Scalio wrote:
>
> Clamscan found a PE "visor.exe.svn-base" that matched
> Win.Trojan.Agent-793284 FOUND.
>
> That said, ran it through virustotal.com with results here
> https://goo.gl/flJl6j
>
> I know pasting a shortened URL in a AV mailing list :-)
>
> 11 of 56 scanners detect a signature, however the file in question is on a
> linux system, and hasn't been touched since 2010, and so I am not too
> worried as it's a homogeneous local LAN of all linux systems, it's just the
> first time we've ran a clamscan on this box.
>
> Is there a way, or an online tutorial, or some other information to
> decompose the signature and the file easily to determine if it's a false
> positive or not? I realize this is a complete science in and of itself,
> but I am looking for a way for our tier 0 folks to quickly discern if they
> need to wake up the whole enterprise at 3am in the future.
>
> Thanks much!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3573 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170209/e30dcf97/attachment.bin>
More information about the clamav-users
mailing list