On Thu, February 9, 2017 1:12 pm, Brad Scalio wrote: > Clamscan found a PE "visor.exe.svn-base" that matched > Win.Trojan.Agent-793284 FOUND. > > Is there a way, or an online tutorial, or some other information to > decompose the signature and the file easily to determine if it's a false > positive or not? I realize this is a complete science in and of itself, > but I am looking for a way for our tier 0 folks to quickly discern if > they need to wake up the whole enterprise at 3am in the future.
Submit the file to a sandbox, eg: https://www.hybrid-analysis.com/ https://malwr.com/ sigtool --find-sigs=Win.Trojan.Agent-793284 [main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284 In the above case you can see it's an old hash in the main.mdb database sigtool --find-sigs=Win.Trojan.Agent-793284 --decode-sigs (will let you see the sigs as long as it's not a hash) Also... found the hash here... https://totalhash.cymru.com/analysis/?8d87580f90b6a6e66803bac07744c1439fb18c02 -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml