Ged: The submitted sample for SHA256:fc1e483dbb60d49205e3d238b3d090e6cc7a49b775bf4e519aba7117ab3a5b43 did not pass our guardrail checks for eligible conviction and signature creation. I couldn't find a past run on Jotti matching this hash, too.
When submitting this file to the same service, I receive no alerts from any of the endpoint solutions: https://virusscan.jotti.org/en-US/filescanjob/wh66zum612 We did notice the filename provided was da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3. Could this be the hash for the sample in question? We will need this particular file to be submitted, as we currently do not have a record of SHA256:da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3 being submitted in the past. I also couldn't find the sample myself. vze1amckv: We have record of SHA1:d2058d5fdd9c4551f7c888d6673a6dbc780b095d, but the submission form on clamav.net is not in the submission list. We will investigate this missing entry. In the interim, I'll create a signature for the sample. It's also important to keep in mind the complexities involved in handling bulk malware submissions from the community. Guardrails must be present to help prevent FPs on erroneous or intentional clean file submissions. Our team is also exploring new methods and resources to improve the processing of submissions, and we do appreciate the feedback provided by the ClamAV community to assist in these efforts. On Thu, Aug 5, 2021 at 9:44 AM vze1amckv--- via clamav-users < clamav-users@lists.clamav.net> wrote: > In June I manually submitted a suspicious Javascript file and got "Our > initial assessment has verified the sample as a threat & we will be > publishing signatures for ClamAV." But even a month after I submitted, > Jotti still reported that ClamAV didn't detect the file. > > So I tried re-submitting it again via the web form but subsequent > submissions of the same file got no response. As of today, Jotti still > says that ClamAV doesn't detect it. > > The SHA1 hash of the suspicious file in question is > d2058d5fdd9c4551f7c888d6673a6dbc780b095d. Thank you. > > On 8/5/21 3:12 AM, G.W. Haywood via clamav-users wrote: > > Hi there, > > > > We have just received this response to one of our automated submissions: > > > > 8<---------------------------------------------------------------------- > > On Thu, 5 Aug 2021, nore...@clamav.com wrote: > > > >> G.W. Haywood, > >> > >> Thank you again for your submission. > >> > >> Your File: > >> da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3 > >> (SHA256: > >> fc1e483dbb60d49205e3d238b3d090e6cc7a49b775bf4e519aba7117ab3a5b43) > >> > >> Our initial assessment shows that this file is possibly clean. If > >> you provided a description that suggests otherwise, we will further > >> examine the sample & proceed from there. > >> > >> -The ClamAV team > > 8<---------------------------------------------------------------------- > > > > Here's the result of our check against fifteen scanners, available via > > Jotti's extremely useful service, and which is run before each of the > > submissions made by our system: > > > > 8<---------------------------------------------------------------------- > > clamav.net Found nothing > > f-prot.com Found nothing > > k7computing.com Found nothing > > trendmicro.com Found nothing > > fortinet.com MSIL/Kryptik.DZG!tr > > eset.com MSIL/Spy.Agent.AES > > sophos.com Mal/RarMal-C > > anti-virus.by Malware-Cryptor.MSIL.AgentTesla.Heur > > bitdefender.com Trojan.GenericKD.46737949 > > escanav.com Trojan.GenericKD.46737949 > > gdatasoftware.com Trojan.GenericKD.46737949 > > ikarus.at Trojan.Inject > > drweb.com Trojan.PackedNET.964 > > f-secure.com Trojan:W32/MaliciousAttachment.F > > avast.com Win32:PWSX-gen > > 8<---------------------------------------------------------------------- > > > > This is one of the clearer threat reports, and I'm surprised by the > > initial assessment from the ClamAV team. The report was sent using > > the 'clamsubmit' utility, which does not offer an option to provide > > a description of the malware. > > > > What should I do now? > > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Christopher Marczewski Research Engineer, Talos Cisco Systems 443-832-2975
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
