[clamav-users] Source for virus definitions?
Orion Poplawski
orion at nwra.com
Thu Feb 1 23:45:21 UTC 2018
Thaks for that. Took me a bit to realize I had to unpack the .ppam file to
find the match.
I'm still curious to know why that file got marked as bad. If there is a
specific cause for concern - or just that it is a 'suspicious' set of macros
as olevba shows:
| Suspicious | Kill | May delete a file
| Suspicious | Chr | May attempt to obfuscate specific
| | | strings (use option --deobf to
| | | deobfuscate)
| Suspicious | Open | May open a file
| Suspicious | shell | May run an executable file or a syste
| | | command
....
On 01/30/2018 05:17 PM, Al Varnell wrote:
> It's an MD5 hash/file size match:
>
> sigtool -fDoc.Dropper.Agent-6384732-0
> [daily.hsb] cb501b0f7d2a700c06ec6733c71558bf:772096:Doc.Dropper.Agent-6384732-0:73
>
> -Al-
> ClamXAV User
>
> On Tue, Jan 30, 2018 at 08:50 AM, Orion Poplawski wrote:
>> How can I determine what exactly is triggering a match?
>>
>> $ clamscan IguanaTex_v1_55.ppam
>> IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND
>>
>> I'd like to know what exactly was matched, but I'm not being able to find
>> where the source for the virus definitions are.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
More information about the clamav-users
mailing list