Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Joel Esler (jesler)
Thank you David. Sent from my iPhone On Sep 27, 2016, at 10:25 PM, David Shrimpton wrote: >> These signatures were generated out of attachments to know bad spam files. >> We'll have a look. >> > > I generated the null byte files from sizes 1 to 1 and ran

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread David Shrimpton
> These signatures were generated out of attachments to know bad spam files. > We'll have a look. > I generated the null byte files from sizes 1 to 1 and ran clamav against them and came up with 785 signatures that matched the null byte files and are therefore broken. I'd speculate that

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Joel Esler (jesler)
Thank you Sent from my Apple Watch On Sep 27, 2016, at 9:07 PM, David Shrimpton wrote: > On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: > >> These signatures were generated out of attachments to know bad spam files. >> We'll have a look. >> > > clamscan -z on

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread David Shrimpton
On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: > These signatures were generated out of attachments to know bad spam files. > We'll have a look. > clamscan -z on pdf shows: Win.Trojan.Agent-1696579 Win.Trojan.Agent-1696632 Win.Trojan.Agent-1696690 Win.Trojan.Agent-1696882

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Joel Esler (jesler)
These signatures were generated out of attachments to know bad spam files. We'll have a look. Sent from my iPhone > On Sep 27, 2016, at 8:54 PM, David Shrimpton > wrote: > >> On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: >> >> All - >> >> This signature was

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread David Shrimpton
On Wed, 28 Sep 2016, Joel Esler (jesler) wrote: > All - > > This signature was my fault. It has been dropped. Should drop with the next > publish and run of freshclam. > Win.Trojan.Agent-1696554 is now dropped. But, the pdf is now detected as Win.Trojan.Agent-1696579.

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Joel Esler (jesler)
All - This signature was my fault. It has been dropped. Should drop with the next publish and run of freshclam. > On Sep 27, 2016, at 5:46 AM, Al Varnell wrote: > > On Sep 27, 2016, at 2:26 AM, David Shrimpton > wrote: >> Is the original

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Al Varnell
On Sep 27, 2016, at 2:26 AM, David Shrimpton wrote: > Is the original malware sample for which the signature was intended still > available > and does it have the above sha256sum ? Apparently available from the VT link Steve gave with the following file names:

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread David Shrimpton
On Tue, 27 Sep 2016, Al Varnell wrote: > The signature is based on a 2240 byte file, so it is probably something > embedded in the PDF. Yes, the 2240 null byte file pdf51 is extracted by clamav from the pdf. --leave-temps and --debug can be used to show this and to obtain the file. md5sum

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread David Shrimpton
> > Confirmed FP I would say: > > https://virustotal.com/en/file/2f7eaacf490839d9c603736149286272aea4df46c0daf58f0c70062041c68230/analysis/ > > Agreed, above being the sha256sum of 2240 null bytes. The hit on the null bytes could of course be masking actual malware in the same container

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Al Varnell
The signature is based on a 2240 byte file, so it is probably something embedded in the PDF. In any case, it needs to be uploaded to . Is the MD5 of the entire PDF 013167adb9fbc93923f9c0789599ec95, because Steve and I aren’t finding anything on VT with any

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread Steve Basford
On Tue, September 27, 2016 8:39 am, David Shrimpton wrote: > Hi, > > > Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an > md5sum of a file containing 2240 null bytes only, so appears to be a broken > signature. > > It is causing false positives. Confirmed FP I would say:

[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

2016-09-27 Thread David Shrimpton
Hi, Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an md5sum of a file containing 2240 null bytes only, so appears to be a broken signature. It is causing false positives. The example I have was a FP on a 944010 byte pdf which comes up negative on virustotal except for clamav. --