[clamav-users] signature exists, but not detecting

Al Varnell alvarnell at mac.com
Mon Mar 8 17:31:58 UTC 2021 


On Tue, Feb 23, 2021 at 19:12 PM, Ron Seguin via clamav-users wrote:
> Yes, my apologies.  It was VirusTotal.  Here's the link.  Thanks.
> 
> https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection <https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection>
> 
> On Tue, Feb 23, 2021 at 10:03 PM Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
> 
> 
> On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
>> Hi,
>> 
>> Uploaded a file to virustools.com <http://virustools.com/> and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit. 
> 
> I'm not familiar with virustools.com <http://virustools.com/> and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?
> 
>> The command-line utility did not detect it.  Up-to-date DB.  The signature appears to exist in the signature database.
>> 
>> Something I'm missing?
>> 
>> # freshclam
>> ClamAV update process started at Tue Feb 23 12:12:30 2021
>> daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
>> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
>> bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
>> 
>> 
>> # clamscan /var/tmp/pty3
>> /var/tmp/pty3: OK
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8565230
>> Engine version: 0.103.1
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.04 MB
>> Data read: 0.04 MB (ratio 1.00:1)
>> Time: 14.528 sec (0 m 14 s)
>> Start Date: 2021:02:23 12:13:43
>> End Date:   2021:02:23 12:13:57
>> 
>> 
>> # sigtools --find "6981155"
>> [daily.ldb] Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34
> 
> You might find this breakout more useful when searching the file for matching strings:
> 
> ~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs 
> VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
> TDB: Engine:51-255,Target:6
> LOGICAL EXPRESSION: 0&1&2&3&4
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
> 
> -Al-
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210308/27487d25/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210308/27487d25/attachment.bin>

More information about the clamav-users mailing list