Looks like the signature was dropped already because sigtool doesn't find it anymore after I updated the databases through freshclam.
--Maarten On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users < clamav-users@lists.clamav.net> wrote: > Well yes, the fact that it was the only scanner would be an indicator of > at least a possible False Positive. > > Next a check to see when that signature was added shows that it was just > yesterday and further that it was dropped today, so clearly an indication > that it was found to be incorrect. Updating your daily signature database > should eliminate the finding and you can get back to more important work. > > And if step three were necessary, I would take a look at the signature > itself to see if it’s focused enough. Here’s what it looks like: > > sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs > VIRUS NAME: Win.Malware.Generic-9937882-0 > TDB: Engine:81-255,Target:1 > LOGICAL EXPRESSION: 0&1&2&3&4 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Expected to find a command ending in '.exe' in shebang line: %ls > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Terminating quote without starting quote for executable in shebang line: > %ls > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Expected terminating double-quote for executable in shebang line: %ls > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: WIDE > +-> DECODED SUBSIGNATURE: > Unable to create process using '%ls': %ls > * SUBSIG ID 4 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Unable to find executable in environment: %ls > > So it’s looking for all five ascii strings indicated, which might have > been enough to uniquely identify whatever windows file that is, but > apparently either that file was misidentified as being malware or those > strings are common to both the malware and your python lib. > > -Al- > > On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users < > clamav-users@lists.clamav.net> wrote: > > FP confirmed (I guess) : > > https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d > > > Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit : > > First I would upload the file to https://virustotal.com to see if any > other scanners identify the file as malware. > > Sent from my iPad > > -Al- > > On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users < > clamav-users@lists.clamav.net> wrote: > > > > > Hello, i hope everyone is well. > > > while scanning my database vps clamav found Win.Malware.Generic-9937882-0 > > on > /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, > the server is running Centos 7 so a win based malware not likely dangerous > but it makes me wonder, is it a malware or is it a false positive? > > > I am new to all this so i would like some guidelines as to what should i > check and how should i proceed... > > > thanks in advance, > > N. Theofanidis > > > > _______________________________________________ > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > -- > Cordialement / Best regards, > > Arnaud Jacques > Gérant de SecuriteInfo.com > > Téléphone : +33-(0)3.60.47.09.81 > E-mail : a...@securiteinfo.com <a...@securiteinfo.com> > Site web : https://www.securiteinfo.com > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > Signatures for ClamAV antivirus : http://ow.ly/LqfdL > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > Powered by Mailbutler, the email extension that does it all: > https://www.mailbutler.io > > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml