Looks like the signature was dropped already because sigtool doesn't find it anymore after I updated the databases through freshclam.--MaartenOn Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:Well yes, the fact that it was the only scanner would be an indicator of at least a possible False Positive.Next a check to see when that signature was added shows that it was just yesterday and further that it was dropped today, so clearly an indication that it was found to be incorrect. Updating your daily signature database should eliminate the finding and you can get back to more important work.And if step three were necessary, I would take a look at the signature itself to see if it’s focused enough. Here’s what it looks like:sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs
VIRUS NAME: Win.Malware.Generic-9937882-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Expected to find a command ending in '.exe' in shebang line: %ls
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Terminating quote without starting quote for executable in shebang line: %ls
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Expected terminating double-quote for executable in shebang line: %ls
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
Unable to create process using '%ls': %ls
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to find executable in environment: %lsSo it’s looking for all five ascii strings indicated, which might have been enough to uniquely identify whatever windows file that is, but apparently either that file was misidentified as being malware or those strings are common to both the malware and your python lib.-Al-On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users <clamav-users@lists.clamav.net> wrote:FP confirmed (I guess) :
https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d
Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit :First I would upload the file to https://virustotal.com to see if any other scanners identify the file as malware.Sent from my iPad-Al-On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users <clamav-users@lists.clamav.net> wrote:Hello, i hope everyone is well.while scanning my database vps clamav found Win.Malware.Generic-9937882-0on /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, the server is running Centos 7 so a win based malware not likely dangerous but it makes me wonder, is it a malware or is it a false positive?I am new to all this so i would like some guidelines as to what should i check and how should i proceed...thanks in advance,N. Theofanidis_______________________________________________clamav-users mailing listclamav-users@lists.clamav.nethttps://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/vrtadmin/clamav-faqhttp://www.clamav.net/contact.html#ml_______________________________________________clamav-users mailing listclamav-users@lists.clamav.nethttps://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/vrtadmin/clamav-faqhttp://www.clamav.net/contact.html#ml
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#mlPowered by Mailbutler, the email extension that does it all: https://www.mailbutler.io
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml