[clamav-users] Different results: Clamscan vs ClamWin
Al Varnell
alvarnell at mac.com
Wed May 3 09:38:29 UTC 2017
Not sure what you mean by "MD5 match" but the signature is a complex logical one, not a hash:
> $ sigtool --find Win.Dropper.Gephys-6117417-0|sigtool --decode-sig
> VIRUS NAME: Win.Dropper.Gephys-6117417-0
> TDB: Engine:51-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4&5&6&7&8&9
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> 8becb8000040005d
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> 8b45088945f88b4d
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> c745fc00000000eb
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> 40005dc3cccccccc
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> cccccc558bec51c7
> * SUBSIG ID 5
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> ffffff8be55dc3cc
> * SUBSIG ID 6
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> 0085c0740733c0e9
> * SUBSIG ID 7
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> ffff8be55dc3cccc
> * SUBSIG ID 8
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> SUBSIGNATURE:
> cc558bec51c745fc
> * SUBSIG ID 9
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> TVirtu
-Al-
On Wed, May 03, 2017 at 01:12 AM, Peter B. wrote:
>
> Thanks for your replies!
>
> On 05/03/2017 02:18 AM, Joel Esler (jesler) wrote:
>> First thing I notice is that you are running two different versions of ClamAV.
>
> I know, but:
> *) v0.99.1 is the most recent version of ClamWin, so I can't go higher
> *) ClamWin also detected the virus with v0.98.x
> *) I'd assume that if that version would matter, it'd rather be
> v0.99.2 (Clamav Linux) that would detect the virus - not the other way
> around. Right?
>
>
> About hashcodes: MD5 match.
> Virus encountered: "Win.Dropper.Gephys-6117417-0"
>
>
> Thanks again,
> Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170503/82c38dc5/attachment.bin>
More information about the clamav-users
mailing list