[clamav-users] Same file, different signatures detected

Maarten Broekman maarten.broekman at gmail.com
Tue Aug 7 11:00:25 UTC 2018 

JAR files can be unpacked like tarballs so it is likely that there is a common file in each that matches those hashes.

Maarten
Sent from a tiny keyboard

> On Aug 7, 2018, at 04:54, Albrecht, Peter <peter.albrecht at wirecard.com> wrote:
> 
> Hi,
> 
>> I don't see how that is even remotely possibly. They are three completely different hash signatures:
>> 
>> [daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>> [daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>> [daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>> 
>> You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?
> 
> I have submitted two files which have been reported. Their MD5 sums are:
> 
> 88cc3123fce88d61b7c2cdbfc33542c5  httpclient-4.3.3.jar
> 9221d898bfa2fa19fa9bc307351f34a1  storm-submit-tools-1.1.1.jar
> 
> Strangely, they are reported with the same signature. And after whitelisting the first
> one, the second one is reported. And then the third ...
> 
> This started about 10 days ago, nothing has been reported before that.
> 
> Thanks,
> 
> Peter Albrecht
> Senior Linux Administrator 
> 
> Wirecard Service Technologies GmbH
> Einsteinring 35 | 85609 Aschheim | Germany
> Tel: +49 (0) 89 4424-191076
> https://www.wirecard.com
> ________________________________________________________________________________________________________
> 
> Amtsgericht München HRB Nummer 238 150
> 
> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
> 
> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder 
> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
> 
> CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are 
> not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither 
> use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever. 
> Thank you for your cooperation.
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list