[clamav-users] Same file, different signatures detected
Al Varnell
alvarnell at mac.com
Tue Aug 7 08:30:08 UTC 2018
I don't see how that is even remotely possibly. They are three completely different hash signatures:
[daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
[daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
[daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?
-Al-
On Tue, Aug 07, 2018 at 12:20 AM, Albrecht, Peter wrote:
> Hi,
>
> We have whitelisted certain signatures for files which are only detected by
> ClamAV to be potentially malicious. And now we face the problem that the
> same files are reported again, but with a different signature. I already had
> this behaviour when I tested with the EICAR test virus.
>
> The signatures in question are now:
>
> Html.Malware.Agent-6625344-0 (whitelisted already)
> Html.Malware.Agent-6625164-0 (new signature for the same files)
>
> After whitelisting the latter one, ClamAV comes again with a new signature:
>
> Html.Malware.Agent-6625283-0
>
> It looks like there are multiple signatures defined for the same file. What
> would you need from me to investigate further?
>
> We are using ClamAV 0.99.4 on Linux. The virus signatures are updated
> directly before running clamscan.
>
> Regards,
>
> Peter
>
> Peter Albrecht
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180807/2c119e61/attachment.htm>
More information about the clamav-users
mailing list