[clamav-users] Is the signature "Win.Tool.Hoax-9939325-0" really problematic ?
alexis.guilbot at scle.fr
alexis.guilbot at scle.fr
Mon Apr 11 08:46:25 UTC 2022
Thanks for your reply.
You are right, I'm not a native English speaker. I went too fast using automatic translators and I didn't review it enough. :D
I forgot to mention that I tested our binary with other antivirus and none of them raised an alert.
In the meantime, we will look at your possible solutions.
-----Message d'origine-----
De : clamav-users <clamav-users-bounces at lists.clamav.net> De la part de G.W. Haywood via clamav-users
Envoyé : lundi 11 avril 2022 10:08
À : alex via clamav-users <clamav-users at lists.clamav.net>
Cc : G.W. Haywood <clamav at jubileegroup.co.uk>
Objet : ⚠️ Re: [clamav-users] Is the signature "Win.Tool.Hoax-9939325-0" really problematic ?
Hi there,
On Mon, 11 Apr 2022, alex via clamav-users wrote:
> Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0"
> on one of our executables. This software was developed by our teams
> and has not been modified since 2014. And suddenly, an alert is lifted...
On a point of order, in English we would say "an alert is raised".
It's clear that you aren't a native English speaker so I understand that the distinction may be a little confusing to you, but I assure you that it's no more confusing to you than "lifted" was to me when first I read it. :)
> After some research in the ClamAV VirusDB announcements, I found that
> this signature was added on February 18, 2022 ...
This begs the question "Why was this almost two months ago?"
> We investigated on our side and saw that the alert was lifted because of 5 subsignatures :
>
> * OnClientToHostWindowX
> * OnDownloadComplete(
> * OnFrameNavigateComplete4
> * OnDownloadBegin4
> * OnStatusBar
>
> These functions come from a Borland library. ...
Is the library still supported, e.g. with security fixes?
> Does ... "Win.Tool.Hoax-9939325-0" detect something really problematic
> that can compromise our system via our executable?
I doubt it, but I'd imagine you should wait for feedback from the signature team. They're very busy so it might take a while. Other readers of this list might have some observations.
> Is there a way to bypass the lifting of this signature, without
> completely ignoring it, if it ultimately proves useful against other
> files?
Not directly in ClamAV, but you could either
(1) ensure that whatever feeds files/directories/data to the scanner ignores your binary (see docs); or
(2) whitelist the signature as a false positive (see docs) and then, optionally, create your own signature which is based on this one but which specifically avoids flagging your binary.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://urldefense.com/v3/__https://lists.clamav.net/mailman/listinfo/clamav-users__;!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjcpc-o6a$
Help us build a comprehensive ClamAV guide:
https://urldefense.com/v3/__https://github.com/vrtadmin/clamav-faq__;!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjcgSgAbl$
https://urldefense.com/v3/__http://www.clamav.net/contact.html*ml__;Iw!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjVCTtvny$
⚠️ This symbol is automatically added to emails originating from outside of the organization. Be extra careful with hyperlinks and attachments.
More information about the clamav-users
mailing list