Hi,
Speaking to the recent new signatures, some of them are incredibly open
ended, and don't seem quite viable.
When searching on the hit, I found this:
https://github.com/streetsidesoftware/vscode-spell-checker/issues/4654
It's definitely a false positive.
Looking at a hit we had, and getting more output I see this:
$ grep -r Py.Malware.NetAccess_pty_SG-10053671-0 * | sigtool --decode-sigs
-v VIRUS NAME: daily.ldb:Py.Malware.NetAccess_pty_SG-10053671-0
TDB: Engine:90-255,Container:CL_TYPE_ZIP,Target:0
LOGICAL EXPRESSION: 0&1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
torch
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Vpty
This is extremely open ended. Simply search for 'torch' in an entire
file, then searching for 'Vpty' any distance from 'torch' is going to
result in massive hits.
Why?
Anything that has data of any sort in it, will result in a hit. Any sort
of SSH key, embedded images, md5 signatures, certificates, anything.
I'm wondering if these signatures were generated by AI, and not properly
human reviewed? That is, are people submitting signatures now, without
human review?
Regardless, if there's a binary blob that's troublesome, Vpty (as an
example) isn't enough to prevent false positives. It needs to be a much
larger string.
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
