[clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0
Al Varnell
alvarnell at mac.com
Sat Jul 9 09:58:02 UTC 2022
Hi,
Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline.
And the signature is:
% sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
VIRUS NAME: Win.Dropper.Tinba-9943147-0
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
!Win32 .EXE.
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.MPRESS1
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.MPRESS2
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
G(XPTPjxW
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.)D$H+
You didn't mention the name of your program or where it can be found, so I'm unable to check further, but perhaps the above will allow you to track down what component of the program is being detected.
I suspect someone from the ClamAV Signature Team will spot this shortly, but it is the start of a weekend, so may take a couple of days.
-Al-
> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <clamav-users at lists.clamav.net> wrote:
>
> Hi Everyone
>
> My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>
> File hash
> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220709/5be824ec/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220709/5be824ec/attachment.bin>
More information about the clamav-users
mailing list