Mark, Thanks, we are also observing these same FP's in our testing. They are on the roadmap for 0.99.3.
Steve On Tue, Aug 15, 2017 at 6:34 AM, Mark Allan <markjal...@gmail.com> wrote: > I have two files which are being wrongly reported as infected by 0.99.3 > beta 1. ClamAV 0.99.2 doesn't detect any issues with the files. > > The first is a single email file (extension .emlx) with md5 checksum of > 245ec37768c235da265014add38bdf4d and a file size of 2777 bytes. It's > being detected as Win.Trojan.Agent-6319774-0 which has the following > signature in daily.cvd > > [daily.hsb] 6f8f57715090da2632453988d9a1501b:1:Win.Trojan.Agent-6319774- > 0:73 > > Three things strike me as odd about this: > 1) The length of that hash surely matches md5 rather than sha1/sha256 and > therefore ought to be in an hdb file rather than hsb? > 2) It specifies a length of 1 byte, but also has :73 at the end which > means "file size unknown". > 3) The hash doesn't even match the hash of the email file in question. > FWIW 163 other different email files are also triggering the same infection > on 0.99.3 but not 0.99.2 > > Wouldn't either of the first two be enough for the sig to be marked as > corrupt? > > Lastly, why are ClamAV 0.99.2 and 0.99.3 treating that signature > differently? > > > The other file is a PDF being wrongly detected as > Win.Trojan.Agent-5520346-0. It appears to have the same issue with the > signature definition inside daily.hsb, and also the file hash ( > c6721e7c77846b5a1d0efe3a708d8dc7) doesn't match the signature hash but is > still being detected by 0.99.3 That hash can be found on VirusTotal with > zero other detections. > > [daily.hsb] 8fa14cdd754f91cc6554c9e71929cce7:1:Win.Trojan.Agent-5520346- > 0:73 > > While I could just add those two signatures to a local exclude file, I > suspect there may be a bigger issue at play with 0.99.3 > > Hope this is helpful. > > Mark > > _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
