[clamav-users] How to determine false-v-real FOUND
Brad Scalio
scalio at gmail.com
Thu Feb 9 14:00:07 UTC 2017
Thanks much.
On Thu, Feb 9, 2017 at 8:55 AM, Steve Basford <
steveb_clamav at sanesecurity.com> wrote:
>
> On Thu, February 9, 2017 1:12 pm, Brad Scalio wrote:
> > Clamscan found a PE "visor.exe.svn-base" that matched
> > Win.Trojan.Agent-793284 FOUND.
> >
> > Is there a way, or an online tutorial, or some other information to
> > decompose the signature and the file easily to determine if it's a false
> > positive or not? I realize this is a complete science in and of itself,
> > but I am looking for a way for our tier 0 folks to quickly discern if
> > they need to wake up the whole enterprise at 3am in the future.
>
> Submit the file to a sandbox, eg:
>
> https://www.hybrid-analysis.com/
> https://malwr.com/
>
> sigtool --find-sigs=Win.Trojan.Agent-793284
> [main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284
>
> In the above case you can see it's an old hash in the main.mdb database
>
> sigtool --find-sigs=Win.Trojan.Agent-793284 --decode-sigs
> (will let you see the sigs as long as it's not a hash)
>
> Also... found the hash here...
>
> https://totalhash.cymru.com/analysis/?8d87580f90b6a6e66803bac07744c1
> 439fb18c02
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list