Thanks a lot for your exlanation On Mon, Feb 21, 2022 at 11:27 AM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote:
> Hi there, > > On Mon, 21 Feb 2022, Eliya Voldman via clamav-users wrote: > > > ... found this line in the log: > > > > C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND > > You should take positive action to investigate anything which gives a > result like this. It may mean that the computer has been compromised, > or it could be a false positive. I did a quick search and I didn't > find very much but I don't have all day to spend on it. Be aware that > different suppliers of threat information may call the *same* threats > by different names. > > As this seems to be a fairly old signature, if it really is a false > positive, I'd almost have expected that it would have been mentioned > on this list by now. AFAICT it hasn't. > > Here's the decoded signature: > 8<---------------------------------------------------------------------- > $ time sigtool --datadir=/EXPORTS/clamav/databases --find-sigs > 'Win.Trojan.Pemalform-9786579-0' | sigtool --decode-sigs > VIRUS NAME: Win.Trojan.Pemalform-9786579-0 > TDB: Engine:81-255,Target:1 > LOGICAL EXPRESSION: 0&1&2&3&4 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: WIDE > +-> DECODED SUBSIGNATURE: > !"&)(<>=|%5C%5C.%5CMutex%5C > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: WIDE > +-> DECODED SUBSIGNATURE: > LastRunPercentFragmentation > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: WIDE > +-> DECODED SUBSIGNATURE: > \Registry\Machine\Software\Microsoft\SQMClient > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > ARSDS{Z, > * SUBSIG ID 4 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > )^72>x > > real 2m16.854s > user 0m7.074s > sys 0m6.778s > 8<---------------------------------------------------------------------- > > To me, because of all those 'ANY' offsets, it looks possible that this > *could* generate false positives - but I certainly wouldn't claim to be > an expert on the assessment of signature performance and I haven't even > looked at the content of the genuine file nor any malicious versions. > > There's a lot of advice Out There. You could for example calculate > the MD5 digest of the file content and search for that (this is one of > the more efficient ways of looking for indicators) or you could submit > the file to the ClamAV team, and to any of a number of Websites which > collect malware, for analysis. You might want to install yet another > scanning tool on the computer to see if it agrees with ClamAV, but if > the threat is real, and the malicious actor is competent, the results > are likely to be unreliable. It might be better to take the file from > the affected computer and scan it elsewhere. There might be readers > on this mailing list who can provide the MD5 of the same file for you > to compare it with that for your file. > The main things to consider are that > > (1) all this might be a storm in a teacup if it's a false positive > > (2) this computer, apparently on a connection which does not permit > traffic from the Internet, might possibly be compromised > > (3) if this computer is on the same firewalled network as other > computers, it might present a threat to those other computers - I'd > advise disconnecting it until you're sure one way or another > > (4) if the computer is in fact compromised, my advice would be to wipe > it thoroughly, reinstall all software and data from known good sources > and then monitor it carefully in controlled conditions until it can be > confidently called 'clean' (given the prevalence of Windows malware, > that's quite a tall order for a Windows box at the best of times) > > (5) if it's a real compromise you'll want to know how it got there, > and take steps to prevent it from happening again > > (6) there are many Websites out there which will lie to you about > things like this, for example they will tell you that absolutely > anything you submit to them is a danger and that you need to pay them > money in order to fix the problem, or perhaps you should download the > version of the file that they provide; be careful what you believe. > > > Does it mean that I could/should rely on 'FOUND' or it should be > something > > 'more specific'? > > A ClamAV scan normally gives the word 'FOUND' in the output which it > produces when something it scans matches a signature or a heuristic. > If that's enough for you to decide on what's been found depends on you > and to some extent on what you're looking at. For example if you have > files which contain the word 'FOUND' in their names, or in the names > of the directories which contain them, then yes, you might need to be > more specific. But we can't really tell you because we don't know > exactly what you're looking at. ClamAV is primarily a toolkit, and > how you use it is primarily up to you. > > -- > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- <https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1> Eliya Voldman
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml