Michel, Thanks for reporting this to us. This signature hit is indeed a false positive, and the signature should be dropped shortly
-Andrew Andrew Williams Malware Research Team Cisco Talos On Mon, Jul 6, 2020 at 1:19 PM Ralf Hildebrandt via clamav-users < clamav-users@lists.clamav.net> wrote: > * Michel GALLE <michel.ga...@6wind.com>: > > Hi Everyone, > > > > it's my first post here. > > > > I try to get information about "Xls.Malware.Madeba-8019734-0". > > > > Clamav informed me a previously clean (or supposedly to be clean) xls > file > > is in fact infected by Xls.Malware.Madeba-8019734-0. > > > > The file was not modified or edited. > > > > I found that Malware.Madeba-8019734-0 definition was added to Clamav the > 13 > > june 2020 or so, in Version 25842 of clamav signatures. > > > > My question is : where I can find more information about > > Malware.Madeba-8019734-0 ? Is there a better website/service referencing > all > > malwares known ? > > > # sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool > --decode-sigs > VIRUS NAME: Xls.Malware.Madeba-8019734-0 > TDB: Engine:51-255,Target:2 > LOGICAL EXPRESSION: 0&1&2&3&4&5 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > -- Limits in place 2004-09-23 ... > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Dim RABJI1 As String > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Dim words(100) As String > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > FLITIES = words(DOZAL > * SUBSIG ID 4 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > If PAST4 > 0 Then > * SUBSIG ID 5 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > words(85 > > So, as you can see the signature consists of 6 subsignatures numbered > 0-5, ll of which must match. It sort-of looks highly specific to me. > > Ralf Hildebrandt > Charité - Universitätsmedizin Berlin > Geschäftsbereich IT | Abteilung Netzwerk > > Campus Benjamin Franklin (CBF) > Haus I | 1. OG | Raum 105 > Hindenburgdamm 30 | D-12203 Berlin > > Tel. +49 30 450 570 155 > ralf.hildebra...@charite.de > https://www.charite.de > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
