Hi, Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline.
And the signature is:
% sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
VIRUS NAME: Win.Dropper.Tinba-9943147-0
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
!Win32 .EXE.
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.MPRESS1
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.MPRESS2
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
G(XPTPjxW
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.)D$H+
You didn't mention the name of your program or where it can be found, so I'm
unable to check further, but perhaps the above will allow you to track down
what component of the program is being detected.
I suspect someone from the ClamAV Signature Team will spot this shortly, but it
is the start of a weekend, so may take a couple of days.
-Al-
> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users
> <clamav-users@lists.clamav.net> wrote:
>
> Hi Everyone
>
> My program has recently started to be flagged with
> Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>
> File hash
> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
Powered by Mailbutler
<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>
- still your inbox, but smarter.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
