On Dec 27, 2016, at 1:53 PM, demonhunter wrote: > Office Open XML file format (.doc(x|m), .xls(x|m), etc., > https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with > macros typically contain an OLE2 file named vbaProject.bin. This signature > appears as though it would match all standard Open XML files that contain > macros. Examples of false positives should not be necessary to remove this > signature:
Yes, but as mentioned here several times, the vbaProject.bin file can be added to the QA test environment so that future FP's concerning it will no longer be distributed, but only when we submit the file. -Al- > $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 > [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: > > $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | > sigtool --decode-sig > VIRUS NAME: Win.Trojan.Toa-5368540-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: vbaProject\.bin$ > COMPRESSED FILESIZE: ANY > UNCOMPRESSED FILESIZE: ANY > ENCRYPTION: IGNORED > FILE POSITION: ANY > CRC SUM: ANY > > > DH > > > ----- Original Message ----- > From: "Joel Esler (jesler)" > To: "Adnan de Castro Donato" <[email protected]>, "ClamAV users ML" > <[email protected]> > Sent: Tuesday, December 27, 2016 3:25:14 PM > Subject: Re: [clamav-users] Probable false positive *.xlsm - > Win.Trojan.Toa-5368540-0 > > Are you able to submit the files via the website? > > > Sent from my Apple Watch > > On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote: >> In keeping with one false positive reports >> I have 8 CentOS servers report below after Signatures Published daily - >> 22782 update: >> >> All attachment with extension *.xlsm have the same issue: >> >> Our content checker found >> virus: Win.Trojan.Toa-5368540-0 >> >> Believe this is a false positive Would like confirmation and an update if >> possible >> >> Thanks. _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
