These signatures were generated out of attachments to know bad spam files. We'll have a look.
Sent from my iPhone > On Sep 27, 2016, at 8:54 PM, David Shrimpton <d.shrimp...@its.uq.edu.au> > wrote: > >> On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: >> >> All - >> >> This signature was my fault. It has been dropped. Should drop with the >> next publish and run of freshclam. >> > > Win.Trojan.Agent-1696554 is now dropped. > > But, the pdf is now detected as Win.Trojan.Agent-1696579. > > Win.Trojan.Agent-1696554 was published in Version: 22229 Sep 21 and is: > > 4b5acd7f457d05cd4268d56e67dcffb9:4416:Win.Trojan.Agent-1696579 > > 4b5acd7f457d05cd4268d56e67dcffb9 is md5sum of 4416 null bytes . > > Clamav --debug --leave-temps extracts a file pdf78 from the pdf with > 4416 null bytes only and this causes the hit on Win.Trojan.Agent-1696554. > > Might be something wrong with many more sigs from Version: 22229 ? > > Might be worth doing all the null byte files from 1 to X in size > and running clamscan against them. > > > David Shrimpton > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
