[clamav-users] Same file, different signatures detected

Joel Esler (jesler) jesler at cisco.com
Tue Aug 7 11:35:38 UTC 2018 

Correct.  Jar files are essentially zip files. 

Sent from my iPhone

> On Aug 7, 2018, at 07:00, Maarten Broekman <maarten.broekman at gmail.com> wrote:
> 
> JAR files can be unpacked like tarballs so it is likely that there is a common file in each that matches those hashes.
> 
> Maarten
> Sent from a tiny keyboard
> 
>> On Aug 7, 2018, at 04:54, Albrecht, Peter <peter.albrecht at wirecard.com> wrote:
>> 
>> Hi,
>> 
>>> I don't see how that is even remotely possibly. They are three completely different hash signatures:
>>> 
>>> [daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>>> [daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>>> [daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>>> 
>>> You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?
>> 
>> I have submitted two files which have been reported. Their MD5 sums are:
>> 
>> 88cc3123fce88d61b7c2cdbfc33542c5  httpclient-4.3.3.jar
>> 9221d898bfa2fa19fa9bc307351f34a1  storm-submit-tools-1.1.1.jar
>> 
>> Strangely, they are reported with the same signature. And after whitelisting the first
>> one, the second one is reported. And then the third ...
>> 
>> This started about 10 days ago, nothing has been reported before that.
>> 
>> Thanks,
>> 
>> Peter Albrecht
>> Senior Linux Administrator 
>> 
>> Wirecard Service Technologies GmbH
>> Einsteinring 35 | 85609 Aschheim | Germany
>> Tel: +49 (0) 89 4424-191076
>> https://www.wirecard.com
>> ________________________________________________________________________________________________________
>> 
>> Amtsgericht München HRB Nummer 238 150
>> 
>> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
>> 
>> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
>> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
>> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder 
>> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
>> 
>> CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are 
>> not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither 
>> use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever. 
>> Thank you for your cooperation.
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list