[clamav-users] How to find string for a signature?
Al Varnell
alvarnell at mac.com
Sat Oct 21 04:04:27 UTC 2017
Are you certain that it is actually from CERT from the header information or is that just the "From: " address which can easily be faked? You can determine a lot from submitting the e-mail raw source to <https://www.spamcop.net>.
Signature details:
sigtool -fPUA.Win.Trojan.Xored-1|sigtool --decode-sigs
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
I can't seem to find when the signature was added, but a Google search shows it being discussed as far back as April 2016.
If, after examination, you still feel it's a False Positive, submit it (or the attachment) to <http://www.clamav.net/reports/fp> and return here with a hash value of whatever you submitted.
PUA indicates "Potentially Unwanted Application" which indicates non-malware and makes it more difficult to identify as a False Positive. Win makes it Windows Only.
-Al-
On Fri, Oct 20, 2017 at 08:30 PM, kristen R wrote:
> List,
>
> I just received an email from ncas.us-cert.gov that was caught by clamd
> reporting PUA.Win.Trojan.Xored-1 signature. This email is from the US
> Department of Homeland Security.
>
> I suppose this is a case of a false positive. How does one find the
> string triggering this event that I might know and report this as a
> false positive?
>
> Kristen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171020/0d98da34/attachment.bin>
More information about the clamav-users
mailing list