I don't see how that is even remotely possibly. They are three completely different hash signatures:
[daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
[daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
[daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?
-Al-
On Tue, Aug 07, 2018 at 12:20 AM, Albrecht, Peter wrote:
Hi,
We have whitelisted certain signatures for files which are only detected by
ClamAV to be potentially malicious. And now we face the problem that the
same files are reported again, but with a different signature. I already had
this behaviour when I tested with the EICAR test virus.
The signatures in question are now:
Html.Malware.Agent-6625344-0 (whitelisted already)
Html.Malware.Agent-6625164-0 (new signature for the same files)
After whitelisting the latter one, ClamAV comes again with a new signature:
Html.Malware.Agent-6625283-0
It looks like there are multiple signatures defined for the same file. What
would you need from me to investigate further?
We are using ClamAV 0.99.4 on Linux. The virus signatures are updated
directly before running clamscan.
Regards,
Peter
Peter Albrecht