[clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Al Varnell alvarnell at mac.com
Sat Jul 9 15:46:17 UTC 2022 

My capabilities for examining Windows files are extremely limited, given that I'm an AppleMac user, exclusively.

Running clamscan --debug against the file I see the following near the end:

> LibClamAV debug: FP SIGNATURE: 95a6e35279662aa2f26d768b15091a55:4514540:Win.Dropper.Tinba-9943147-0  # Name: n/a, Type: CL_TYPE_MSEXE
> LibClamAV debug: FP SIGNATURE: 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0  # Name: n/a, Type: CL_TYPE_MSEXE
> LibClamAV debug: FP SIGNATURE: 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0  # Name: n/a, Type: CL_TYPE_MSEXE
> LibClamAV debug: FP SIGNATURE: 701571d9181d39302909ef36ce487d17:4929264:Win.Dropper.Tinba-9943147-0  # Name: AnyCase App Installer v10.93.exe, Type: CL_TYPE_MSEXE
> /Users/<redacted>/Downloads/2022-07-04/AnyCase App Installer v10.93.exe: Win.Dropper.Tinba-9943147-0 FOUND
> LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64
> LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
> LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4982
> LibClamAV debug: bytecode: extracting new file with id 4294967295
> LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64
> LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
> LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4982
> LibClamAV debug: cli_scanembpe: Infected with Win.Dropper.Tinba-9943147-0
> LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
> LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4982
> LibClamAV debug: Cleaning up phishcheck
> LibClamAV debug: Freeing phishcheck struct
> LibClamAV debug: Phishcheck cleaned up
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 12318966
> Engine version: 0.104.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 13.42 MB
> Data read: 4.70 MB (ratio 2.86:1)
> Time: 39.290 sec (0 m 39 s)
> Start Date: 2022:07:09 08:16:55
> End Date:   2022:07:09 08:17:34

I'm not an expert on this either, but it would appear that there is a valid False Positive entry in the database for four different files, including yours as the last. I can confirm that the md5 hash matches the installer downloaded from your site:

> sigtool --md5 /Users/<redacted>/Downloads/2022-07-04/AnyCase\ App\ Installer\ v10.93.exe 
> 701571d9181d39302909ef36ce487d17:4929264:AnyCase App Installer v10.93.exe


So why it's being detected remains a mystery!

-Al-


> On Jul 9, 2022, at 3:21 AM, Yaron Elharar via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> that correlates exactly to where it started happening 👍
> 
> It's a pretty cool case converter called AnyCase
> https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1 <https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1>
> 
> "... but perhaps the above will allow you to track down what component of the program is being detected."
> 
> I thought about doing that, but I don't know where to start, 
> it would be great to understand what is happening, and why
> 
> Where should I start?
> 
> 
> 
> On Sat, Jul 9, 2022 at 12:59 PM Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
> Hi,
> 
> Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline.
> 
> And the signature is:
> 
> % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
> VIRUS NAME: Win.Dropper.Tinba-9943147-0
> TDB: Engine:51-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> !Win32 .EXE.
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .MPRESS1
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .MPRESS2
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> G(XPTPjxW
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .)D$H+
> 
> You didn't mention the name of your program or where it can be found, so I'm unable to check further, but perhaps the above will allow you to track down what component of the program is being detected.
> 
> I suspect someone from the ClamAV Signature Team will spot this shortly, but it is the start of a weekend, so may take a couple of days.
> 
> -Al-
> 
>> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>> 
>> Hi Everyone
>> 
>> My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>> 
>> File hash
>> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
> 
> 
>          
> Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>
> 
> https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


         
Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220709/575050a0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220709/575050a0/attachment.bin>

More information about the clamav-users mailing list