Hey Graeme,

Doc.Trojan.Agent-6923110-0 has been dropped as of this morning's daily.cvd build.  Thanks for bringing this FP to our attention.

For reference, the signature was generated from a cluster of documents similar to and including the one below:

https://www.virustotal.com/gui/file/7cf485fb365ef45d1d5253ef104ae418f9cb18dff0500e5bb7c8ad3a32220ab5

From doing some quick research on the underlying VB script contained within, there is some code that looks a little suspicious, but the vast majority appears to be code associated with documents produced by Oracle Web Applications Desktop Integrator (ADI).  This signature mistakenly matches on the latter.

From searching online, I was able to find some clean spreadsheets created via Oracle Web ADI and have added those to our clean sample database, so that future signatures which might mistakenly match on these documents and spreadsheets won't pass our False Positive testing.

Thanks again, and let me know if you have any questions

-Andrew

Andrew Williams
Malware Research Engineer
Cisco Talos


On Wed, Apr 10, 2019 at 1:44 PM Graeme Fowler via clamav-users <clamav-users@lists.clamav.net> wrote:
Thanks; I'm well aware of that.

I can well understand the rationale behind the signature - however it looks like the code is established in normal usage. The user in question requested a more recent copy of the template sheet they work with from the upstream organisation, which too was blocked at the boundary (as I expected).

I'm loathe to put it into the ignore list as there's obviously good reason for the sig in the first place; what I can't see is whether any other Clam sites have seen the same issue, hence raising it here.

It may be that the sig is a bit too broad, but equally it may be entirely based on observed malware - and if we've got genuine files using the same code as malware or the other way round, that leaves us in a bit of a pickle.

Graeme

________________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Brent Clark via clamav-users <clamav-users@lists.clamav.net>
Sent: 10 April 2019 13:38
To: ClamAV users ML
Cc: Brent Clark
Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0

To whitelist a specific signature from the database you just add the
signature name into a local file with the .ign2 extension and store it
inside /var/lib/clamav.

i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2

HTH
Regards
Brent Clark



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml