Yes, my apologies. It was VirusTotal. Here's the link. Thanks.On Tue, Feb 23, 2021 at 10:03 PM Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:Hi,Uploaded a file to virustools.com and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit.I'm not familiar with virustools.com and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?The command-line utility did not detect it. Up-to-date DB. The signature appears to exist in the signature database.Something I'm missing?# freshclamClamAV update process started at Tue Feb 23 12:12:30 2021
daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)# clamscan /var/tmp/pty3/var/tmp/pty3: OK----------- SCAN SUMMARY -----------
Known viruses: 8565230
Engine version: 0.103.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.04 MB
Data read: 0.04 MB (ratio 1.00:1)
Time: 14.528 sec (0 m 14 s)
Start Date: 2021:02:23 12:13:43
End Date: 2021:02:23 12:13:57
# sigtools --find "6981155"
[daily.ldb] Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34You might find this breakout more useful when searching the file for matching strings:~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigsVIRUS NAME: Unix.Trojan.Tsunami-6981155-0TDB: Engine:51-255,Target:6LOGICAL EXPRESSION: 0&1&2&3&4* SUBSIG ID 0+-> OFFSET: ANY+-> SIGMOD: NONE+-> DECODED SUBSIGNATURE:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)* SUBSIG ID 1+-> OFFSET: ANY+-> SIGMOD: NONE+-> DECODED SUBSIGNATURE:Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2* SUBSIG ID 2+-> OFFSET: ANY+-> SIGMOD: NONE+-> DECODED SUBSIGNATURE:Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)* SUBSIG ID 3+-> OFFSET: ANY+-> SIGMOD: NONE+-> DECODED SUBSIGNATURE:Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911* SUBSIG ID 4+-> OFFSET: ANY+-> SIGMOD: NONE+-> DECODED SUBSIGNATURE:Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4-Al-
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml