Hey Graeme, Doc.Trojan.Agent-6923110-0 has been dropped as of this morning's daily.cvd build. Thanks for bringing this FP to our attention.
For reference, the signature was generated from a cluster of documents similar to and including the one below: https://www.virustotal.com/gui/file/7cf485fb365ef45d1d5253ef104ae418f9cb18dff0500e5bb7c8ad3a32220ab5 >From doing some quick research on the underlying VB script contained within, there is some code that looks a little suspicious, but the vast majority appears to be code associated with documents produced by Oracle Web Applications Desktop Integrator (ADI). This signature mistakenly matches on the latter. >From searching online, I was able to find some clean spreadsheets created via Oracle Web ADI and have added those to our clean sample database, so that future signatures which might mistakenly match on these documents and spreadsheets won't pass our False Positive testing. Thanks again, and let me know if you have any questions -Andrew Andrew Williams Malware Research Engineer Cisco Talos On Wed, Apr 10, 2019 at 1:44 PM Graeme Fowler via clamav-users < clamav-users@lists.clamav.net> wrote: > Thanks; I'm well aware of that. > > I can well understand the rationale behind the signature - however it > looks like the code is established in normal usage. The user in question > requested a more recent copy of the template sheet they work with from the > upstream organisation, which too was blocked at the boundary (as I > expected). > > I'm loathe to put it into the ignore list as there's obviously good reason > for the sig in the first place; what I can't see is whether any other Clam > sites have seen the same issue, hence raising it here. > > It may be that the sig is a bit too broad, but equally it may be entirely > based on observed malware - and if we've got genuine files using the same > code as malware or the other way round, that leaves us in a bit of a pickle. > > Graeme > > ________________________________________ > From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of > Brent Clark via clamav-users <clamav-users@lists.clamav.net> > Sent: 10 April 2019 13:38 > To: ClamAV users ML > Cc: Brent Clark > Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0 > > To whitelist a specific signature from the database you just add the > signature name into a local file with the .ign2 extension and store it > inside /var/lib/clamav. > > i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2 > > HTH > Regards > Brent Clark > > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
