Al Varnell wrote: > On Dec 27, 2016, at 1:53 PM, demonhunter wrote: >> Office Open XML file format (.doc(x|m), .xls(x|m), etc., >> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with >> macros typically contain an OLE2 file named vbaProject.bin. This signature >> appears as though it would match all standard Open XML files that contain >> macros. Examples of false positives should not be necessary to remove this >> signature: > > Yes, but as mentioned here several times, the vbaProject.bin file can be > added to the QA test environment so that future FP's concerning it will no > longer be distributed, but only when we submit the file.
To rephrase demonhunter, the signature is on the filename component, not the content of the file; it's a generic name for the container for macro(s) in a current-generation Office document, which happen to lightly rebranded .zip files. I've had a report as well; I don't yet have an example file though. -kgd > > -Al- > >> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 >> [daily.cdb] >> Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: >> >> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" >> | sigtool --decode-sig >> VIRUS NAME: Win.Trojan.Toa-5368540-0 >> CONTAINER TYPE: CL_TYPE_ZIP >> CONTAINER SIZE: ANY >> FILENAME REGEX: vbaProject\.bin$ >> COMPRESSED FILESIZE: ANY >> UNCOMPRESSED FILESIZE: ANY >> ENCRYPTION: IGNORED >> FILE POSITION: ANY >> CRC SUM: ANY >> >> >> DH >> >> >> ----- Original Message ----- >> From: "Joel Esler (jesler)" >> To: "Adnan de Castro Donato" <[email protected]>, "ClamAV users ML" >> <[email protected]> >> Sent: Tuesday, December 27, 2016 3:25:14 PM >> Subject: Re: [clamav-users] Probable false positive *.xlsm - >> Win.Trojan.Toa-5368540-0 >> >> Are you able to submit the files via the website? >> >> >> Sent from my Apple Watch >> >> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote: >>> In keeping with one false positive reports >>> I have 8 CentOS servers report below after Signatures Published daily - >>> 22782 update: >>> >>> All attachment with extension *.xlsm have the same issue: >>> >>> Our content checker found >>> virus: Win.Trojan.Toa-5368540-0 >>> >>> Believe this is a false positive Would like confirmation and an update if >>> possible >>> >>> Thanks. > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
