Re: [clamav-users] Same file, different signatures detected

2018-08-07 Thread Micah Snyder (micasnyd)
If you're concerned that they may be flagging with multiple signatures, you can 
also test using:

clamscan --allmatch

It will scan for as many signatures as possible instead of just returning the 
first one it finds.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Aug 7, 2018, at 7:35 AM, Joel Esler (jesler) 
mailto:jes...@cisco.com>> wrote:

Correct.  Jar files are essentially zip files.

Sent from my iPhone

On Aug 7, 2018, at 07:00, Maarten Broekman 
mailto:maarten.broek...@gmail.com>> wrote:

JAR files can be unpacked like tarballs so it is likely that there is a common 
file in each that matches those hashes.

Maarten
Sent from a tiny keyboard

On Aug 7, 2018, at 04:54, Albrecht, Peter 
mailto:peter.albre...@wirecard.com>> wrote:

Hi,

I don't see how that is even remotely possibly. They are three completely 
different hash signatures:

[daily.hsb] 
9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
[daily.hsb] 
5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
[daily.hsb] 
f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73

You should have already submitted this file to ClamAV as a false positive, so 
what was it's MD5 hash?

I have submitted two files which have been reported. Their MD5 sums are:

88cc3123fce88d61b7c2cdbfc33542c5  httpclient-4.3.3.jar
9221d898bfa2fa19fa9bc307351f34a1  storm-submit-tools-1.1.1.jar

Strangely, they are reported with the same signature. And after whitelisting 
the first
one, the second one is reported. And then the third ...

This started about 10 days ago, nothing has been reported before that.

Thanks,

Peter Albrecht
Senior Linux Administrator

Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com


Amtsgericht München HRB Nummer 238 150

Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou

VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und 
ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese 
E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen 
dürfen Sie weder nutzen, noch verarbeiten oder
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre 
Kooperation!

CONFIDENTIAL! This email contains confidential information and is intended for 
the authorized recipient only. If you are
not an authorised recipient please return the email to us and then delete it 
from your computer and mail-server. You may neither
use nor edit any such emails including attachments, nor make them accessible to 
third parties in any manner whatsoever.
Thank you for your cooperation.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Same file, different signatures detected

2018-08-07 Thread Joel Esler (jesler)
Correct.  Jar files are essentially zip files. 

Sent from my iPhone

> On Aug 7, 2018, at 07:00, Maarten Broekman  wrote:
> 
> JAR files can be unpacked like tarballs so it is likely that there is a 
> common file in each that matches those hashes.
> 
> Maarten
> Sent from a tiny keyboard
> 
>> On Aug 7, 2018, at 04:54, Albrecht, Peter  
>> wrote:
>> 
>> Hi,
>> 
>>> I don't see how that is even remotely possibly. They are three completely 
>>> different hash signatures:
>>> 
>>> [daily.hsb] 
>>> 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>>> [daily.hsb] 
>>> 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>>> [daily.hsb] 
>>> f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>>> 
>>> You should have already submitted this file to ClamAV as a false positive, 
>>> so what was it's MD5 hash?
>> 
>> I have submitted two files which have been reported. Their MD5 sums are:
>> 
>> 88cc3123fce88d61b7c2cdbfc33542c5  httpclient-4.3.3.jar
>> 9221d898bfa2fa19fa9bc307351f34a1  storm-submit-tools-1.1.1.jar
>> 
>> Strangely, they are reported with the same signature. And after whitelisting 
>> the first
>> one, the second one is reported. And then the third ...
>> 
>> This started about 10 days ago, nothing has been reported before that.
>> 
>> Thanks,
>> 
>> Peter Albrecht
>> Senior Linux Administrator 
>> 
>> Wirecard Service Technologies GmbH
>> Einsteinring 35 | 85609 Aschheim | Germany
>> Tel: +49 (0) 89 4424-191076
>> https://www.wirecard.com
>> 
>> 
>> Amtsgericht München HRB Nummer 238 150
>> 
>> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
>> 
>> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen 
>> und ist nur für den berechtigten Empfänger
>> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, 
>> diese E-Mail an uns zurückzusenden und anschließend
>> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen 
>> dürfen Sie weder nutzen, noch verarbeiten oder 
>> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre 
>> Kooperation!
>> 
>> CONFIDENTIAL! This email contains confidential information and is intended 
>> for the authorized recipient only. If you are 
>> not an authorised recipient please return the email to us and then delete it 
>> from your computer and mail-server. You may neither 
>> use nor edit any such emails including attachments, nor make them accessible 
>> to third parties in any manner whatsoever. 
>> Thank you for your cooperation.
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Same file, different signatures detected

2018-08-07 Thread Maarten Broekman
JAR files can be unpacked like tarballs so it is likely that there is a common 
file in each that matches those hashes.

Maarten
Sent from a tiny keyboard

> On Aug 7, 2018, at 04:54, Albrecht, Peter  wrote:
> 
> Hi,
> 
>> I don't see how that is even remotely possibly. They are three completely 
>> different hash signatures:
>> 
>> [daily.hsb] 
>> 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>> [daily.hsb] 
>> 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>> [daily.hsb] 
>> f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>> 
>> You should have already submitted this file to ClamAV as a false positive, 
>> so what was it's MD5 hash?
> 
> I have submitted two files which have been reported. Their MD5 sums are:
> 
> 88cc3123fce88d61b7c2cdbfc33542c5  httpclient-4.3.3.jar
> 9221d898bfa2fa19fa9bc307351f34a1  storm-submit-tools-1.1.1.jar
> 
> Strangely, they are reported with the same signature. And after whitelisting 
> the first
> one, the second one is reported. And then the third ...
> 
> This started about 10 days ago, nothing has been reported before that.
> 
> Thanks,
> 
> Peter Albrecht
> Senior Linux Administrator 
> 
> Wirecard Service Technologies GmbH
> Einsteinring 35 | 85609 Aschheim | Germany
> Tel: +49 (0) 89 4424-191076
> https://www.wirecard.com
> 
> 
> Amtsgericht München HRB Nummer 238 150
> 
> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
> 
> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen 
> und ist nur für den berechtigten Empfänger
> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese 
> E-Mail an uns zurückzusenden und anschließend
> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen 
> dürfen Sie weder nutzen, noch verarbeiten oder 
> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre 
> Kooperation!
> 
> CONFIDENTIAL! This email contains confidential information and is intended 
> for the authorized recipient only. If you are 
> not an authorised recipient please return the email to us and then delete it 
> from your computer and mail-server. You may neither 
> use nor edit any such emails including attachments, nor make them accessible 
> to third parties in any manner whatsoever. 
> Thank you for your cooperation.
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Same file, different signatures detected

2018-08-07 Thread Albrecht, Peter
Hi,

> I don't see how that is even remotely possibly. They are three completely 
> different hash signatures:
>
>[daily.hsb] 
>9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>[daily.hsb] 
>5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>[daily.hsb] 
>f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>
>You should have already submitted this file to ClamAV as a false positive, so 
>what was it's MD5 hash?

I have submitted two files which have been reported. Their MD5 sums are:

88cc3123fce88d61b7c2cdbfc33542c5  httpclient-4.3.3.jar
9221d898bfa2fa19fa9bc307351f34a1  storm-submit-tools-1.1.1.jar

Strangely, they are reported with the same signature. And after whitelisting 
the first
one, the second one is reported. And then the third ...

This started about 10 days ago, nothing has been reported before that.

Thanks,

Peter Albrecht
Senior Linux Administrator 

Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com


Amtsgericht München HRB Nummer 238 150

Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou

VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und 
ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese 
E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen 
dürfen Sie weder nutzen, noch verarbeiten oder 
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre 
Kooperation!

CONFIDENTIAL! This email contains confidential information and is intended for 
the authorized recipient only. If you are 
not an authorised recipient please return the email to us and then delete it 
from your computer and mail-server. You may neither 
use nor edit any such emails including attachments, nor make them accessible to 
third parties in any manner whatsoever. 
Thank you for your cooperation.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Same file, different signatures detected

2018-08-07 Thread Al Varnell
I don't see how that is even remotely possibly. They are three completely 
different hash signatures:

[daily.hsb] 
9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
[daily.hsb] 
5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
[daily.hsb] 
f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73

You should have already submitted this file to ClamAV as a false positive, so 
what was it's MD5 hash?

-Al-

On Tue, Aug 07, 2018 at 12:20 AM, Albrecht, Peter wrote:
> Hi,
> 
> We have whitelisted certain signatures for files which are only detected by
> ClamAV to be potentially malicious. And now we face the problem that the
> same files are reported again, but with a different signature. I already had 
> this behaviour when I tested with the EICAR test virus.
> 
> The signatures in question are now:
> 
> Html.Malware.Agent-6625344-0 (whitelisted already)
> Html.Malware.Agent-6625164-0 (new signature for the same files)
> 
> After whitelisting the latter one, ClamAV comes again with a new signature:
> 
> Html.Malware.Agent-6625283-0
> 
> It looks like there are multiple signatures defined for the same file. What
> would you need from me to investigate further?
> 
> We are using ClamAV 0.99.4 on Linux. The virus signatures are updated
> directly before running clamscan.
> 
> Regards,
> 
> Peter
> 
> Peter Albrecht
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml