[clamav-users] signature exists, but not detecting

Al Varnell alvarnell at mac.com
Wed Feb 24 03:23:37 UTC 2021 

I noted that the scan was from six months ago, so I reanalyzed the file and see that ClamAV no longer detects it as infected, although 31/62 scanners did. The signature itself was added to the ClamAV db almost two years ago, on May 27, 2019, so does seem strange that it detected six months ago, but not now. Only thing that changed in that time period was the ClamAV scan engine.

-Al-

On Tue, Feb 23, 2021 at 19:12 PM, Ron Seguin via clamav-users wrote:
> Yes, my apologies.  It was VirusTotal.  Here's the link.  Thanks.
> 
> https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection <https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection>
> 
> On Tue, Feb 23, 2021 at 10:03 PM Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
> 
> 
> On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
>> Hi,
>> 
>> Uploaded a file to virustools.com <http://virustools.com/> and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit. 
> 
> I'm not familiar with virustools.com <http://virustools.com/> and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?
> 
>> The command-line utility did not detect it.  Up-to-date DB.  The signature appears to exist in the signature database.
>> 
>> Something I'm missing?
>> 
>> # freshclam
>> ClamAV update process started at Tue Feb 23 12:12:30 2021
>> daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
>> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
>> bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
>> 
>> 
>> # clamscan /var/tmp/pty3
>> /var/tmp/pty3: OK
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8565230
>> Engine version: 0.103.1
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.04 MB
>> Data read: 0.04 MB (ratio 1.00:1)
>> Time: 14.528 sec (0 m 14 s)
>> Start Date: 2021:02:23 12:13:43
>> End Date:   2021:02:23 12:13:57
>> 
>> 
>> # sigtools --find "6981155"
>> [daily.ldb] Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34
> 
> You might find this breakout more useful when searching the file for matching strings:
> 
> ~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs 
> VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
> TDB: Engine:51-255,Target:6
> LOGICAL EXPRESSION: 0&1&2&3&4
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
> 
> -Al-
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210223/1f457e8a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210223/1f457e8a/attachment.bin>

More information about the clamav-users mailing list