Office Open XML file format (.doc(x|m), .xls(x|m), etc., https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with macros typically contain an OLE2 file named vbaProject.bin. This signature appears as though it would match all standard Open XML files that contain macros. Examples of false positives should not be necessary to remove this signature:
$ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | sigtool --decode-sig VIRUS NAME: Win.Trojan.Toa-5368540-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: vbaProject\.bin$ COMPRESSED FILESIZE: ANY UNCOMPRESSED FILESIZE: ANY ENCRYPTION: IGNORED FILE POSITION: ANY CRC SUM: ANY DH ----- Original Message ----- From: "Joel Esler (jesler)" <[email protected]> To: "Adnan de Castro Donato" <[email protected]>, "ClamAV users ML" <[email protected]> Sent: Tuesday, December 27, 2016 3:25:14 PM Subject: Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0 Are you able to submit the files via the website? -- Sent from my Apple Watch On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato <[email protected]> wrote: > > In keeping with one false positive reports > I have 8 CentOS servers report below after Signatures Published daily - 22782 > update: > > All attachment with extension *.xlsm have the same issue: > > Our content checker found > virus: Win.Trojan.Toa-5368540-0 > > > Believe this is a false positive Would like confirmation and an update if > possible > > Thanks. > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
