My capabilities for examining Windows files are extremely limited, given that I'm an AppleMac user, exclusively.
Running clamscan --debug against the file I see the following near the end: > LibClamAV debug: FP SIGNATURE: > 95a6e35279662aa2f26d768b15091a55:4514540:Win.Dropper.Tinba-9943147-0 # Name: > n/a, Type: CL_TYPE_MSEXE > LibClamAV debug: FP SIGNATURE: > 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0 # Name: > n/a, Type: CL_TYPE_MSEXE > LibClamAV debug: FP SIGNATURE: > 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0 # Name: > n/a, Type: CL_TYPE_MSEXE > LibClamAV debug: FP SIGNATURE: > 701571d9181d39302909ef36ce487d17:4929264:Win.Dropper.Tinba-9943147-0 # Name: > AnyCase App Installer v10.93.exe, Type: CL_TYPE_MSEXE > /Users/<redacted>/Downloads/2022-07-04/AnyCase App Installer v10.93.exe: > Win.Dropper.Tinba-9943147-0 FOUND > LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64 > LibClamAV debug: Win.Dropper.Tinba-9943147-0 found > LibClamAV debug: cli_magic_scan_desc: returning 1 at line 4982 > LibClamAV debug: bytecode: extracting new file with id 4294967295 > LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64 > LibClamAV debug: Win.Dropper.Tinba-9943147-0 found > LibClamAV debug: cli_magic_scan_desc: returning 1 at line 4982 > LibClamAV debug: cli_scanembpe: Infected with Win.Dropper.Tinba-9943147-0 > LibClamAV debug: Win.Dropper.Tinba-9943147-0 found > LibClamAV debug: cli_magic_scan_desc: returning 1 at line 4982 > LibClamAV debug: Cleaning up phishcheck > LibClamAV debug: Freeing phishcheck struct > LibClamAV debug: Phishcheck cleaned up > > ----------- SCAN SUMMARY ----------- > Known viruses: 12318966 > Engine version: 0.104.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 13.42 MB > Data read: 4.70 MB (ratio 2.86:1) > Time: 39.290 sec (0 m 39 s) > Start Date: 2022:07:09 08:16:55 > End Date: 2022:07:09 08:17:34 I'm not an expert on this either, but it would appear that there is a valid False Positive entry in the database for four different files, including yours as the last. I can confirm that the md5 hash matches the installer downloaded from your site: > sigtool --md5 /Users/<redacted>/Downloads/2022-07-04/AnyCase\ App\ Installer\ > v10.93.exe > 701571d9181d39302909ef36ce487d17:4929264:AnyCase App Installer v10.93.exe So why it's being detected remains a mystery! -Al- > On Jul 9, 2022, at 3:21 AM, Yaron Elharar via clamav-users > <clamav-users@lists.clamav.net> wrote: > > that correlates exactly to where it started happening 👍 > > It's a pretty cool case converter called AnyCase > https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1 > > <https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1> > > "... but perhaps the above will allow you to track down what component of the > program is being detected." > > I thought about doing that, but I don't know where to start, > it would be great to understand what is happening, and why > > Where should I start? > > > > On Sat, Jul 9, 2022 at 12:59 PM Al Varnell via clamav-users > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: > Hi, > > Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 > of this year, which matches your FP reporting effort timeline. > > And the signature is: > > % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs > VIRUS NAME: Win.Dropper.Tinba-9943147-0 > TDB: Engine:51-255,Target:1 > LOGICAL EXPRESSION: 0&1&2&3&4 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > !Win32 .EXE. > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > .MPRESS1 > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > .MPRESS2 > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > G(XPTPjxW > * SUBSIG ID 4 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > .)D$H+ > > You didn't mention the name of your program or where it can be found, so I'm > unable to check further, but perhaps the above will allow you to track down > what component of the program is being detected. > > I suspect someone from the ClamAV Signature Team will spot this shortly, but > it is the start of a weekend, so may take a couple of days. > > -Al- > >> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users >> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote: >> >> Hi Everyone >> >> My program has recently started to be flagged with >> Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total >> >> File hash >> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9 > > > > Powered by Mailbutler > <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> > - still your inbox, but smarter. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > <https://github.com/Cisco-Talos/clamav-documentation> > > https://docs.clamav.net/#mailing-lists-and-chat > <https://docs.clamav.net/#mailing-lists-and-chat> > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > > https://docs.clamav.net/#mailing-lists-and-chat Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
