Thanks much. On Thu, Feb 9, 2017 at 8:55 AM, Steve Basford < [email protected]> wrote:
> > On Thu, February 9, 2017 1:12 pm, Brad Scalio wrote: > > Clamscan found a PE "visor.exe.svn-base" that matched > > Win.Trojan.Agent-793284 FOUND. > > > > Is there a way, or an online tutorial, or some other information to > > decompose the signature and the file easily to determine if it's a false > > positive or not? I realize this is a complete science in and of itself, > > but I am looking for a way for our tier 0 folks to quickly discern if > > they need to wake up the whole enterprise at 3am in the future. > > Submit the file to a sandbox, eg: > > https://www.hybrid-analysis.com/ > https://malwr.com/ > > sigtool --find-sigs=Win.Trojan.Agent-793284 > [main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284 > > In the above case you can see it's an old hash in the main.mdb database > > sigtool --find-sigs=Win.Trojan.Agent-793284 --decode-sigs > (will let you see the sigs as long as it's not a hash) > > Also... found the hash here... > > https://totalhash.cymru.com/analysis/?8d87580f90b6a6e66803bac07744c1 > 439fb18c02 > > -- > Cheers, > > Steve > Twitter: @sanesecurity > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
