Ged: The submitted sample for SHA256:fc1e483dbb60d49205e3d238b3d090e6cc7a49b775bf4e519aba7117ab3a5b43 did not pass our guardrail checks for eligible conviction and signature creation. I couldn't find a past run on Jotti matching this hash, too.

When submitting this file to the same service, I receive no alerts from any of the endpoint solutions:
https://virusscan.jotti.org/en-US/filescanjob/wh66zum612

We did notice the filename provided was da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3. Could this be the hash for the sample in question? We will need this particular file to be submitted, as we currently do not have a record of SHA256:da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3 being submitted in the past. I also couldn't find the sample myself.

vze1amckv: We have record of SHA1:d2058d5fdd9c4551f7c888d6673a6dbc780b095d, but the submission form on clamav.net is not in the submission list. We will investigate this missing entry. In the interim, I'll create a signature for the sample.

It's also important to keep in mind the complexities involved in handling bulk malware submissions from the community. Guardrails must be present to help prevent FPs on erroneous or intentional clean file submissions. Our team is also exploring new methods and resources to improve the processing of submissions, and we do appreciate the feedback provided by the ClamAV community to assist in these efforts.

On Thu, Aug 5, 2021 at 9:44 AM vze1amckv--- via clamav-users <clamav-users@lists.clamav.net> wrote:

In June I manually submitted a suspicious Javascript file and got "Our
initial assessment has verified the sample as a threat & we will be
publishing signatures for ClamAV." But even a month after I submitted,
Jotti still reported that ClamAV didn't detect the file.

So I tried re-submitting it again via the web form but subsequent
submissions of the same file got no response. As of today, Jotti still
says that ClamAV doesn't detect it.

The SHA1 hash of the suspicious file in question is
d2058d5fdd9c4551f7c888d6673a6dbc780b095d. Thank you.

On 8/5/21 3:12 AM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> We have just received this response to one of our automated submissions:
>
> 8<----------------------------------------------------------------------
> On Thu, 5 Aug 2021, noreply@clamav.com wrote:
>
>> G.W. Haywood,
>>
>> Thank you again for your submission.
>>
>> Your File:
>> da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3
>> (SHA256:
>> fc1e483dbb60d49205e3d238b3d090e6cc7a49b775bf4e519aba7117ab3a5b43)
>>
>> Our initial assessment shows that this file is possibly clean. If
>> you provided a description that suggests otherwise, we will further
>> examine the sample & proceed from there.
>>
>> -The ClamAV team
> 8<----------------------------------------------------------------------
>
> Here's the result of our check against fifteen scanners, available via
> Jotti's extremely useful service, and which is run before each of the
> submissions made by our system:
>
> 8<----------------------------------------------------------------------
> clamav.net        Found nothing
> f-prot.com        Found nothing
> k7computing.com        Found nothing
> trendmicro.com        Found nothing
> fortinet.com        MSIL/Kryptik.DZG!tr
> eset.com        MSIL/Spy.Agent.AES
> sophos.com        Mal/RarMal-C
> anti-virus.by        Malware-Cryptor.MSIL.AgentTesla.Heur
> bitdefender.com        Trojan.GenericKD.46737949
> escanav.com        Trojan.GenericKD.46737949
> gdatasoftware.com    Trojan.GenericKD.46737949
> ikarus.at        Trojan.Inject
> drweb.com        Trojan.PackedNET.964
> f-secure.com        Trojan:W32/MaliciousAttachment.F
> avast.com        Win32:PWSX-gen
> 8<----------------------------------------------------------------------
>
> This is one of the clearer threat reports, and I'm surprised by the
> initial assessment from the ClamAV team. The report was sent using
> the 'clamsubmit' utility, which does not offer an option to provide
> a description of the malware.
>
> What should I do now?
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Christopher Marczewski

Research Engineer, Talos

Cisco Systems

443-832-2975