[clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?

Joel Esler (jesler) jesler at cisco.com
Fri Feb 16 17:05:19 UTC 2018 

It is possible, using a service we have here:

https://talosintelligence.com/sha_searches <https://talosintelligence.com/sha_searches>

To look up some additional details about files, if interested.  SHA256 required.


--
Joel Esler | Talos: Manager | jesler at cisco.com <mailto:jesler at cisco.com>






> On Feb 15, 2018, at 3:23 PM, Alain Zidouemba <azidouemba at sourcefire.com> wrote:
> 
> The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false
> positive. The signature alerted on a Microsoft Word document. The hash for
> that document is
> f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156.
> 
> The Word document has a macro that launches powershell, downloads an
> executable and runs it.
> 
> On Thu, Feb 15, 2018 at 2:05 PM, Kris Deugau <kdeugau at vianet.ca> wrote:
> 
>> I've had a customer reporting problems sending a supposedly all-text
>> (likely actually multipart text+html with no hand-added attachments)
>> triggering this signature.
>> 
>> Since it's a hash I'm baffled by what it might be misfiring on in a
>> legitimate more-or-less text-only message.
>> 
>> I don't yet have a copy of the message that actually triggered this
>> signature, and after finally getting a couple of empty test messages they
>> are of course scanning clean.
>> 
>> Can anyone give any more detail on what kind of file or file component
>> this is matching on?  All I can see is that it's in daily.hsb, so beyond
>> the fact that it is a hash of either the whole file or a component of a
>> Word document containing macros I have no idea what it is, and whether it's
>> really a FP or not.
>> 
>> -kgd
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180216/136da6f9/attachment.sig>

More information about the clamav-users mailing list