[clamav-users] Malware found on datadog folder in centos. Is it false-positive?

Al Varnell alvarnell at mac.com
Mon Jan 31 12:57:21 UTC 2022 

Well yes, the fact that it was the only scanner would be an indicator of at least a possible False Positive.

Next a check to see when that signature was added shows that it was just yesterday and further that it was dropped today, so clearly an indication that it was found to be incorrect. Updating your daily signature database should eliminate the finding and you can get back to more important work.

And if step three were necessary, I would take a look at the signature itself to see if it’s focused enough. Here’s what it looks like:

sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs
VIRUS NAME: Win.Malware.Generic-9937882-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Expected to find a command ending in '.exe' in shebang line: %ls
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Terminating quote without starting quote for executable in shebang line: %ls
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Expected terminating double-quote for executable in shebang line: %ls
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
Unable to create process using '%ls': %ls
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Unable to find executable in environment: %ls

So it’s looking for all five ascii strings indicated, which might have been enough to uniquely identify whatever windows file that is, but apparently either that file was misidentified as being malware or those strings are common to both the malware and your python lib.

-Al-

On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users <clamav-users at lists.clamav.net> wrote:
> FP confirmed (I guess) :
> https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d
> 
> 
> Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit :
>> First I would upload the file to https://virustotal.com to see if any other scanners identify the file as malware.
>> Sent from my iPad
>> -Al-
>>> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users <clamav-users at lists.clamav.net> wrote:
>>> 
>>> 
>>> Hello, i hope everyone is well.
>>> 
>>> while scanning my database vps clamav found Win.Malware.Generic-9937882-0
>>> on /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, the server is running Centos 7 so a win based malware not likely dangerous but it makes me wonder, is it a malware or is it a false positive?
>>> 
>>> I am new to all this so i would like some guidelines as to what should i check and how should i proceed...
>>> 
>>> thanks in advance,
>>> N. Theofanidis
>>> 
>>> 
>>> _______________________________________________
>>> 
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/contact.html#ml
> 
> -- 
> Cordialement / Best regards,
> 
> Arnaud Jacques
> Gérant de SecuriteInfo.com
> 
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj at securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

Powered by Mailbutler, the email extension that does it all: https://www.mailbutler.io

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220131/50bee9da/attachment.htm>

More information about the clamav-users mailing list