Hi Ged,
Your response is extremely valuable
Appreciate it
Btw what tool is 'time sigtool'? Should I try it on my Linux machine or
Windows?
Thanks
Eliya
On Mon, Feb 21, 2022 at 11:27 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Mon, 21 Feb 2022, Eliya Voldman via clamav-users wrote:
>
> > ... found this line in the log:
> >
> > C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND
>
> You should take positive action to investigate anything which gives a
> result like this. It may mean that the computer has been compromised,
> or it could be a false positive. I did a quick search and I didn't
> find very much but I don't have all day to spend on it. Be aware that
> different suppliers of threat information may call the *same* threats
> by different names.
>
> As this seems to be a fairly old signature, if it really is a false
> positive, I'd almost have expected that it would have been mentioned
> on this list by now. AFAICT it hasn't.
>
> Here's the decoded signature:
> 8<----------------------------------------------------------------------
> $ time sigtool --datadir=/EXPORTS/clamav/databases --find-sigs
> 'Win.Trojan.Pemalform-9786579-0' | sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Pemalform-9786579-0
> TDB: Engine:81-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> !"&)(<>=|%5C%5C.%5CMutex%5C
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> LastRunPercentFragmentation
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> \Registry\Machine\Software\Microsoft\SQMClient
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> ARSDS{Z,
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> )^72>x
>
> real 2m16.854s
> user 0m7.074s
> sys 0m6.778s
> 8<----------------------------------------------------------------------
>
> To me, because of all those 'ANY' offsets, it looks possible that this
> *could* generate false positives - but I certainly wouldn't claim to be
> an expert on the assessment of signature performance and I haven't even
> looked at the content of the genuine file nor any malicious versions.
>
> There's a lot of advice Out There. You could for example calculate
> the MD5 digest of the file content and search for that (this is one of
> the more efficient ways of looking for indicators) or you could submit
> the file to the ClamAV team, and to any of a number of Websites which
> collect malware, for analysis. You might want to install yet another
> scanning tool on the computer to see if it agrees with ClamAV, but if
> the threat is real, and the malicious actor is competent, the results
> are likely to be unreliable. It might be better to take the file from
> the affected computer and scan it elsewhere. There might be readers
> on this mailing list who can provide the MD5 of the same file for you
> to compare it with that for your file.
> The main things to consider are that
>
> (1) all this might be a storm in a teacup if it's a false positive
>
> (2) this computer, apparently on a connection which does not permit
> traffic from the Internet, might possibly be compromised
>
> (3) if this computer is on the same firewalled network as other
> computers, it might present a threat to those other computers - I'd
> advise disconnecting it until you're sure one way or another
>
> (4) if the computer is in fact compromised, my advice would be to wipe
> it thoroughly, reinstall all software and data from known good sources
> and then monitor it carefully in controlled conditions until it can be
> confidently called 'clean' (given the prevalence of Windows malware,
> that's quite a tall order for a Windows box at the best of times)
>
> (5) if it's a real compromise you'll want to know how it got there,
> and take steps to prevent it from happening again
>
> (6) there are many Websites out there which will lie to you about
> things like this, for example they will tell you that absolutely
> anything you submit to them is a danger and that you need to pay them
> money in order to fix the problem, or perhaps you should download the
> version of the file that they provide; be careful what you believe.
>
> > Does it mean that I could/should rely on 'FOUND' or it should be
> something
> > 'more specific'?
>
> A ClamAV scan normally gives the word 'FOUND' in the output which it
> produces when something it scans matches a signature or a heuristic.
> If that's enough for you to decide on what's been found depends on you
> and to some extent on what you're looking at. For example if you have
> files which contain the word 'FOUND' in their names, or in the names
> of the directories which contain them, then yes, you might need to be
> more specific. But we can't really tell you because we don't know
> exactly what you're looking at. ClamAV is primarily a toolkit, and
> how you use it is primarily up to you.
>
> --
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
<https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1>
Eliya Voldman
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
