'Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605
From:       "Jason J. W. Williams" <jasonjwwilliams () gmail ! com>
Date:       2016-03-17 21:18:07
Message-ID: CAHZAEpdrwnQuAf+T2XNUMWeSveqAZuRXjhPCaQ67SA0hMyC5aQ () mail ! gmail ! com
[Download RAW message or body]

That's unfortunate. Given the magnitude of the change I would've expected
them to be very attentive to the list, post deployment.

-J

On Thu, Mar 17, 2016 at 1:23 PM, Al Varnell <alvarnell@mac.com> wrote:

> No. I'm sure they are trying to recover from this week's activities and
> rarely have time to follow this list anyway. It would likely be Alain
> Zidouemba the sig team lead.
> 
> To get feedback on FP's you would need to subscribe to the clamav-virusdb
> list and it often takes weeks under normal circumstances.
> 
> The main contributor here is Joel Esler, Manager, Talos Group.
> 
> Sent from Janet's iPad
> 
> -Al-
> 
> On Mar 17, 2016, at 1:09 PM, "Jason J. W. Williams" <
> jasonjwwilliams@gmail.com> wrote:
> > Does anyone that's chimed in work on the signatures team?
> > 
> > -J
> > 
> > On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell <alvarnell@mac.com> wrote:
> > 
> > > There have not been any additional updates released yet, so nothing
> could
> > > have changed.
> > > 
> > > -Al-
> > > 
> > > On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote:
> > > > 
> > > > Is anyone still seeing this or have they fixed it?
> > > > 
> > > > -J
> > > > 
> > > > Sent via iPhone
> > > > 
> > > > > On Mar 17, 2016, at 02:44, Mark Allan <markjallan@gmail.com> wrote:
> > > > > 
> > > > > Just to confirm, I'm also seeing everything being flagged as
> > > Win.Trojan.Trojan-476 with the new main/daily.cvd files.
> > > > > 
> > > > > Mark
> > > > > 
> > > > > > On 17 Mar 2016, at 6:49 am, Al Varnell <alvarnell@mac.com> wrote:
> > > > > > 
> > > > > > I just ran a scan against the ClamAV test files contained in the
> > > 0.99.1 source file and I'm getting all Win.Trojan.Trojan-476:
> > > > > > 
> > > > > > File Name    Infection Name    Status
> > > > > > 
> > > 
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > 
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2
> > > Win.Trojan.Trojan-476
> > > > > > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > 
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa
> 
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > 
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > 
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa
> 
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > 
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa
> > > Win.Trojan.Trojan-476
> > > > > > 
> > > > > > -Al-
> > > > > > 
> > > > > > > On Wed, Mar 16, 2016 at 10:46 PM, Jason Williams wrote:
> > > > > > > 
> > > > > > > Hey Al,
> > > > > > > 
> > > > > > > I submitted a FP report with one attached. Just put the EICAR string
> > > into a txt file and that'll trigger it.
> > > > > > > 
> > > > > > > -J
> > > > > > > 
> > > > > > > Sent via iPhone
> > > > > > > 
> > > > > > > > On Mar 16, 2016, at 22:16, Al Varnell <alvarnell@mac.com> wrote:
> > > > > > > > 
> > > > > > > > I don't know why sanesecurity-porcupine.ndb is causing this, but I
> > > can now see that the signatures for Win.Test.EICAR_LDB-1 and
> > > Win.Trojan.Trojan-605 are identical, so this is an FP situation which
> would
> > > be reported.
> > > > > > > > <
> > > 
> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search- \
> type=contains&case-sensitivity=No&database=daily&database=main&display=database&disp \
> lay=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
> 
> > > > 
> > > > > > > > 
> > > > > > > > However, I'm not sure where to find a copy of a
> Win.Test.EICAR_LDB-1
> > > file to submit.
> > > > > > > > 
> > > > > > > > -Al-
> > > > > > > > 
> > > > > > > > 
> > > > > > > > > On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote:
> > > > > > > > > 
> > > > > > > > > Culprit seems to be sanesecurity-porcupine.ndb (
> > > > > > > > > http://sanesecurity.com/usage/signatures/). Moving it out causes
> > > > > > > > > Win.Test.EICAR_NDB-1
> > > > > > > > > FOUND to be found, moving it back in triggers the
> > > Win.Trojan.Trojan-605 FP.
> > > > > > > > > Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why
> > > that is.
> > > > > > > > > 
> > > > > > > > > -J
> > > > > > > > > 
> > > > > > > > > > On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarnell@mac.com>
> > > wrote:
> > > > > > > > > > 
> > > > > > > > > > Disregard, I found it here after they got the new main.cvd:
> > > > > > > > > > <
> > > > > > > > > > 
> > > 
> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search \
> -type=contains&case-sensitivity=No&database=daily&database=main&display=database&dis \
> play=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
> 
> > > > > > > > > > 
> > > > > > > > > > I'll see what I get once my main.cvd finishes.
> > > > > > > > > > 
> > > > > > > > > > -Al-
> > > > > > > > > > 
> > > > > > > > > > > On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote:
> > > > > > > > > > > 
> > > > > > > > > > > I'm still looking, but so far I can't find any \
> > > > > > > > > > > Win.Trojan.Trojan
> > > > > > > > > > signatures in the ClamAV Official database or listed in
> > > clamav-virusdb
> > > > > > > > > > e-mail list.
> > > > > > > > > > > 
> > > > > > > > > > > Nor can I confirm your results using my own EICAR.
> > > > > > > > > > > 
> > > > > > > > > > > Are you using any Unofficial signatures from a different \
> > > > > > > > > > > source? 
> > > > > > > > > > > -Al-
> > > > > > > > > > > 
> > > > > > > > > > > > On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote:
> > > > > > > > > > > > 
> > > > > > > > > > > > Pulled down 21466 (and force restarted clamd) but it's still
> > > classifying
> > > > > > > > > > > > EICAR as Win.Trojan.Trojan:
> > > > > > > > > > > > 
> > > > > > > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > > > > > > > > 
> > > > > > > > > > > > Databases are up to date now:
> > > > > > > > > > > > main.cvd is up to date (version: 57, sigs: 4218790, f-level:
> 60,
> > > > > > > > > > builder:
> > > > > > > > > > > > amishhammer)
> > > > > > > > > > > > Empty script daily-21465.cdiff, need to download entire
> database
> > > > > > > > > > > > Downloading daily.cvd [100%]
> > > > > > > > > > > > daily.cvd updated (version: 21466, sigs: 83889, f-level: 63,
> > > builder:
> > > > > > > > > > > > amishhammer)
> > > > > > > > > > > > Empty script bytecode-275.cdiff, need to download entire
> database
> > > > > > > > > > > > Downloading bytecode.cvd [100%]
> > > > > > > > > > > > bytecode.cvd updated (version: 275, sigs: 45, f-level: 63,
> > > builder:
> > > > > > > > > > > > amishhammer)
> > > > > > > > > > > > Database updated (4302724 signatures) from \
> > > > > > > > > > > > db.local.clamav.net
> > > (IP:
> > > > > > > > > > > > 193.1.193.64)
> > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > > > On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <
> alvarnell@mac.com>
> > > wrote:
> > > > > > > > > > > > > 
> > > > > > > > > > > > > Those are normal messages for an update of this kind.  The
> > > 21465.cdiff
> > > > > > > > > > was
> > > > > > > > > > > > > purposely blank in order to force you to download the \
> > > > > > > > > > > > > entire
> > > daily.cvd.
> > > > > > > > > > > > > Give it plenty of time as the main.cvd is 109MB.
> > > > > > > > > > > > > 
> > > > > > > > > > > > > Technical details: <
> > > > > > > > > > 
> > > 
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
> > > > > > > > > > > > > 
> > > > > > > > > > > > > -Al-
> > > > > > > > > > > > > 
> > > > > > > > > > > > > > On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams \
> > > > > > > > > > > > > > wrote: 
> > > > > > > > > > > > > > Thanks. Hopefully it'll sync up soon. I'm getting weird
> > > download
> > > > > > > > > > errors
> > > > > > > > > > > > > out
> > > > > > > > > > > > > > of freshclam:
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > WARNING: getfile: Error while reading database from
> > > > > > > > > > db.local.clamav.net
> > > > > > > > > > > > > > (IP: 200.236.31.1): Operation now in progress
> > > > > > > > > > > > > > WARNING: getpatch: Can't download daily-21465.cdiff from
> > > > > > > > > > > > > db.local.clamav.net
> > > > > > > > > > > > > > nonblock_recv: recv timing out (30 secs)
> > > > > > > > > > > > > > WARNING: getfile: Error while reading database from
> > > > > > > > > > db.local.clamav.net
> > > > > > > > > > > > > > (IP: 194.186.47.19): Operation now in progress
> > > > > > > > > > > > > > WARNING: getpatch: Can't download daily-21465.cdiff from
> > > > > > > > > > > > > db.local.clamav.net
> > > > > > > > > > > > > > Empty script daily-21465.cdiff, need to download entire
> > > database
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <
> alvarnell@mac.com
> > > > 
> > > > > > > > > > wrote:
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > The new database was just made available, so I \
> > > > > > > > > > > > > > > recommend you
> > > hold off
> > > > > > > > > > > > > > > until you have the new mail.cvd v57 and daily.cvd \
> > > > > > > > > > > > > > > v21466
> > > before
> > > > > > > > > > getting
> > > > > > > > > > > > > too
> > > > > > > > > > > > > > > excited about this.
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > -Al-
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. \
> > > > > > > > > > > > > > > > Williams
> wrote:
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > As of the latest daily update, running ClamAV against \
> > > > > > > > > > > > > > > > the
> > > EICAR test
> > > > > > > > > > > > > > > string
> > > > > > > > > > > > > > > > reports  Win.Trojan.Trojan-605 instead of
> > > Eicar-Test-Signature.
> > > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > > -J
> > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > > > > > > 
> > > > > > > > > > http://www.clamav.net/contact.html#ml
> > > > > > > > > _______________________________________________
> > > > > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > > > > > 
> > > > > > > > > http://www.clamav.net/contact.html#ml
> > > > > > > > 
> > > > > > > > -Al-
> > > > > > > > --
> > > > > > > > Al Varnell
> > > > > > > > Mountain View, CA
> > > > > > > _______________________________________________
> > > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > > > 
> > > > > > > http://www.clamav.net/contact.html#ml
> > > > > > 
> > > > > > -Al-
> > > > > > --
> > > > > > Al Varnell
> > > > > > Mountain View, CA
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > > 
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > 
> > > > > _______________________________________________
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > > 
> > > > > http://www.clamav.net/contact.html#ml
> > > > _______________________________________________
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > > 
> > > > http://www.clamav.net/contact.html#ml
> > > 
> > > -Al-
> > > --
> > > Al Varnell
> > > Mountain View, CA
> > > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > > 
> > > http://www.clamav.net/contact.html#ml
> > > 
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic