My capabilities for examining Windows files are extremely limited, given that I'm an AppleMac user, exclusively.

Running clamscan --debug against the file I see the following near the end:

LibClamAV debug: FP SIGNATURE: 95a6e35279662aa2f26d768b15091a55:4514540:Win.Dropper.Tinba-9943147-0  # Name: n/a, Type: CL_TYPE_MSEXE
LibClamAV debug: FP SIGNATURE: 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0  # Name: n/a, Type: CL_TYPE_MSEXE
LibClamAV debug: FP SIGNATURE: 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0  # Name: n/a, Type: CL_TYPE_MSEXE
LibClamAV debug: FP SIGNATURE: 701571d9181d39302909ef36ce487d17:4929264:Win.Dropper.Tinba-9943147-0  # Name: AnyCase App Installer v10.93.exe, Type: CL_TYPE_MSEXE
/Users/<redacted>/Downloads/2022-07-04/AnyCase App Installer v10.93.exe: Win.Dropper.Tinba-9943147-0 FOUND
LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64
LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4982
LibClamAV debug: bytecode: extracting new file with id 4294967295
LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64
LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4982
LibClamAV debug: cli_scanembpe: Infected with Win.Dropper.Tinba-9943147-0
LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
LibClamAV debug: cli_magic_scan_desc: returning 1  at line 4982
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 12318966
Engine version: 0.104.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 13.42 MB
Data read: 4.70 MB (ratio 2.86:1)
Time: 39.290 sec (0 m 39 s)
Start Date: 2022:07:09 08:16:55
End Date:   2022:07:09 08:17:34


I'm not an expert on this either, but it would appear that there is a valid False Positive entry in the database for four different files, including yours as the last. I can confirm that the md5 hash matches the installer downloaded from your site:

sigtool --md5 /Users/<redacted>/Downloads/2022-07-04/AnyCase\ App\ Installer\ v10.93.exe 
701571d9181d39302909ef36ce487d17:4929264:AnyCase App Installer v10.93.exe

So why it's being detected remains a mystery!

-Al-


On Jul 9, 2022, at 3:21 AM, Yaron Elharar via clamav-users <clamav-users@lists.clamav.net> wrote:

that correlates exactly to where it started happening 👍

It's a pretty cool case converter called AnyCase
https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1

"... but perhaps the above will allow you to track down what component of the program is being detected."

I thought about doing that, but I don't know where to start, 
it would be great to understand what is happening, and why

Where should I start?



On Sat, Jul 9, 2022 at 12:59 PM Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:
Hi,

Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline.

And the signature is:

% sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
VIRUS NAME: Win.Dropper.Tinba-9943147-0
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
!Win32 .EXE.
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
.MPRESS1
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
.MPRESS2
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
G(XPTPjxW
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
.)D$H+

You didn't mention the name of your program or where it can be found, so I'm unable to check further, but perhaps the above will allow you to track down what component of the program is being detected.

I suspect someone from the ClamAV Signature Team will spot this shortly, but it is the start of a weekend, so may take a couple of days.

-Al-

On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <clamav-users@lists.clamav.net> wrote:

Hi Everyone

My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total

File hash
2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9


Powered by Mailbutler - still your inbox, but smarter.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


Powered by Mailbutler - still your inbox, but smarter.