Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Am 29.12.2016 um 07:30 schrieb demonhunter: Samples can be easily generated by creating a blank Word or Excel document, creating an empty macro module with a single empty subroutine, and saving the Word/Excel file as a .docm or .xlsm file. Scanning one of these brand new files against a saved copy of the signature shows that it matches (implying that all or nearly all modern Office 2007+ files containing VBA macros would have matched this rule): yeah, but only the docm/xlsm and frankly on a sane inbound mailserver you reject them unconditional - i have even seen servers in the wild rejecting xls/doc and use xlsx/docx because they *could* contain macros to keep all the crypto malware out of the house signatures where and will be always too late for the last recent malware and hence in 2016 macros and executeables don't belong into emails at all ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Samples can be easily generated by creating a blank Word or Excel document, creating an empty macro module with a single empty subroutine, and saving the Word/Excel file as a .docm or .xlsm file. Scanning one of these brand new files against a saved copy of the signature shows that it matches (implying that all or nearly all modern Office 2007+ files containing VBA macros would have matched this rule): $ cat signature.cdb Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: $ clamscan -d signature.cdb example.docm example.docm: Win.Trojan.Toa-5368540-0.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 1 Engine version: 0.99.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.02 MB (ratio 0.00:1) Time: 0.013 sec (0 m 0 s) A .docm and .xlsm file have been submitted to the "Report False Positive" page. Hopefully the ClamAV QA system can use these files to prevent bad rules like this from being published in the future. DH - Original Message - From: "Kris Deugau" <kdeu...@vianet.ca> To: "ClamAV users ML" <clamav-users@lists.clamav.net> Sent: Wednesday, December 28, 2016 1:34:16 PM Subject: Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0 Al Varnell wrote: > On Dec 27, 2016, at 1:53 PM, demonhunter wrote: >> Office Open XML file format (.doc(x|m), .xls(x|m), etc., >> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with >> macros typically contain an OLE2 file named vbaProject.bin. This signature >> appears as though it would match all standard Open XML files that contain >> macros. Examples of false positives should not be necessary to remove this >> signature: > > Yes, but as mentioned here several times, the vbaProject.bin file can be > added to the QA test environment so that future FP's concerning it will no > longer be distributed, but only when we submit the file. To rephrase demonhunter, the signature is on the filename component, not the content of the file; it's a generic name for the container for macro(s) in a current-generation Office document, which happen to lightly rebranded .zip files. I've had a report as well; I don't yet have an example file though. -kgd > > -Al- > >> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 >> [daily.cdb] >> Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: >> >> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" >> | sigtool --decode-sig >> VIRUS NAME: Win.Trojan.Toa-5368540-0 >> CONTAINER TYPE: CL_TYPE_ZIP >> CONTAINER SIZE: ANY >> FILENAME REGEX: vbaProject\.bin$ >> COMPRESSED FILESIZE: ANY >> UNCOMPRESSED FILESIZE: ANY >> ENCRYPTION: IGNORED >> FILE POSITION: ANY >> CRC SUM: ANY >> >> >> DH >> >> >> ----- Original Message ----- >> From: "Joel Esler (jesler)" >> To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" >> <clamav-users@lists.clamav.net> >> Sent: Tuesday, December 27, 2016 3:25:14 PM >> Subject: Re: [clamav-users] Probable false positive *.xlsm- >> Win.Trojan.Toa-5368540-0 >> >> Are you able to submit the files via the website? >> >> >> Sent from my Apple Watch >> >> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote: >>> In keeping with one false positive reports >>> I have 8 CentOS servers report below after Signatures Published daily - >>> 22782 update: >>> >>> All attachment with extension *.xlsm have the same issue: >>> >>> Our content checker found >>> virus: Win.Trojan.Toa-5368540-0 >>> >>> Believe this is a false positive Would like confirmation and an update if >>> possible >>> >>> Thanks. > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Al Varnell wrote: > On Dec 27, 2016, at 1:53 PM, demonhunter wrote: >> Office Open XML file format (.doc(x|m), .xls(x|m), etc., >> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with >> macros typically contain an OLE2 file named vbaProject.bin. This signature >> appears as though it would match all standard Open XML files that contain >> macros. Examples of false positives should not be necessary to remove this >> signature: > > Yes, but as mentioned here several times, the vbaProject.bin file can be > added to the QA test environment so that future FP's concerning it will no > longer be distributed, but only when we submit the file. To rephrase demonhunter, the signature is on the filename component, not the content of the file; it's a generic name for the container for macro(s) in a current-generation Office document, which happen to lightly rebranded .zip files. I've had a report as well; I don't yet have an example file though. -kgd > > -Al- > >> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 >> [daily.cdb] >> Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: >> >> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" >> | sigtool --decode-sig >> VIRUS NAME: Win.Trojan.Toa-5368540-0 >> CONTAINER TYPE: CL_TYPE_ZIP >> CONTAINER SIZE: ANY >> FILENAME REGEX: vbaProject\.bin$ >> COMPRESSED FILESIZE: ANY >> UNCOMPRESSED FILESIZE: ANY >> ENCRYPTION: IGNORED >> FILE POSITION: ANY >> CRC SUM: ANY >> >> >> DH >> >> >> - Original Message - >> From: "Joel Esler (jesler)" >> To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" >> <clamav-users@lists.clamav.net> >> Sent: Tuesday, December 27, 2016 3:25:14 PM >> Subject: Re: [clamav-users] Probable false positive *.xlsm- >> Win.Trojan.Toa-5368540-0 >> >> Are you able to submit the files via the website? >> >> >> Sent from my Apple Watch >> >> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote: >>> In keeping with one false positive reports >>> I have 8 CentOS servers report below after Signatures Published daily - >>> 22782 update: >>> >>> All attachment with extension *.xlsm have the same issue: >>> >>> Our content checker found >>> virus: Win.Trojan.Toa-5368540-0 >>> >>> Believe this is a false positive Would like confirmation and an update if >>> possible >>> >>> Thanks. > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
sure, sending right now !!! - Mensagem original - De: "Joel Esler (jesler)" <jes...@cisco.com> Para: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "clamav-users" <clamav-users@lists.clamav.net> Enviadas: Terça-feira, 27 de dezembro de 2016 18:25:14 Assunto: Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0 Are you able to submit the files via the website? -- Sent from my Apple Watch On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato <adnan.cas...@stwbrasil.com> wrote: > > In keeping with one false positive reports > I have 8 CentOS servers report below after Signatures Published daily - 22782 > update: > > All attachment with extension *.xlsm have the same issue: > > Our content checker found >virus: Win.Trojan.Toa-5368540-0 > > > Believe this is a false positive Would like confirmation and an update if > possible > > Thanks. > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
On Dec 27, 2016, at 1:53 PM, demonhunter wrote: > Office Open XML file format (.doc(x|m), .xls(x|m), etc., > https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with > macros typically contain an OLE2 file named vbaProject.bin. This signature > appears as though it would match all standard Open XML files that contain > macros. Examples of false positives should not be necessary to remove this > signature: Yes, but as mentioned here several times, the vbaProject.bin file can be added to the QA test environment so that future FP's concerning it will no longer be distributed, but only when we submit the file. -Al- > $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 > [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: > > $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | > sigtool --decode-sig > VIRUS NAME: Win.Trojan.Toa-5368540-0 > CONTAINER TYPE: CL_TYPE_ZIP > CONTAINER SIZE: ANY > FILENAME REGEX: vbaProject\.bin$ > COMPRESSED FILESIZE: ANY > UNCOMPRESSED FILESIZE: ANY > ENCRYPTION: IGNORED > FILE POSITION: ANY > CRC SUM: ANY > > > DH > > > - Original Message - > From: "Joel Esler (jesler)" > To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" > <clamav-users@lists.clamav.net> > Sent: Tuesday, December 27, 2016 3:25:14 PM > Subject: Re: [clamav-users] Probable false positive *.xlsm- > Win.Trojan.Toa-5368540-0 > > Are you able to submit the files via the website? > > > Sent from my Apple Watch > > On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote: >> In keeping with one false positive reports >> I have 8 CentOS servers report below after Signatures Published daily - >> 22782 update: >> >> All attachment with extension *.xlsm have the same issue: >> >> Our content checker found >> virus: Win.Trojan.Toa-5368540-0 >> >> Believe this is a false positive Would like confirmation and an update if >> possible >> >> Thanks. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Office Open XML file format (.doc(x|m), .xls(x|m), etc., https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with macros typically contain an OLE2 file named vbaProject.bin. This signature appears as though it would match all standard Open XML files that contain macros. Examples of false positives should not be necessary to remove this signature: $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0 [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*: $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | sigtool --decode-sig VIRUS NAME: Win.Trojan.Toa-5368540-0 CONTAINER TYPE: CL_TYPE_ZIP CONTAINER SIZE: ANY FILENAME REGEX: vbaProject\.bin$ COMPRESSED FILESIZE: ANY UNCOMPRESSED FILESIZE: ANY ENCRYPTION: IGNORED FILE POSITION: ANY CRC SUM: ANY DH - Original Message - From: "Joel Esler (jesler)" <jes...@cisco.com> To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" <clamav-users@lists.clamav.net> Sent: Tuesday, December 27, 2016 3:25:14 PM Subject: Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0 Are you able to submit the files via the website? -- Sent from my Apple Watch On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato <adnan.cas...@stwbrasil.com> wrote: > > In keeping with one false positive reports > I have 8 CentOS servers report below after Signatures Published daily - 22782 > update: > > All attachment with extension *.xlsm have the same issue: > > Our content checker found >virus: Win.Trojan.Toa-5368540-0 > > > Believe this is a false positive Would like confirmation and an update if > possible > > Thanks. > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
#All# macros inside xlsm files are being blocked due to sig blocking of Vbaproject.bin inside. Cheers, Steve Twitter: @sanesecurity On 27 December 2016 20:08:37 Adnan de Castro Donatowrote: In keeping with one false positive reports I have 8 CentOS servers report below after Signatures Published daily - 22782 update: All attachment with extension *.xlsm have the same issue: Our content checker found virus: Win.Trojan.Toa-5368540-0 Believe this is a false positive Would like confirmation and an update if possible Thanks. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0
Are you able to submit the files via the website? -- Sent from my Apple Watch On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donatowrote: > > In keeping with one false positive reports > I have 8 CentOS servers report below after Signatures Published daily - 22782 > update: > > All attachment with extension *.xlsm have the same issue: > > Our content checker found >virus: Win.Trojan.Toa-5368540-0 > > > Believe this is a false positive Would like confirmation and an update if > possible > > Thanks. > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml