subject:"Re\: \[clamav\-users\] Probable false positive \*.xlsm \- Win.Trojan.Toa\-5368540\-0"

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-29 Thread Reindl Harald



Am 29.12.2016 um 07:30 schrieb demonhunter:

Samples can be easily generated by creating a blank Word or Excel document, 
creating an empty macro module with a single empty subroutine, and saving the 
Word/Excel file as a .docm or .xlsm file. Scanning one of these brand new files 
against a saved copy of the signature shows that it matches (implying that all 
or nearly all modern Office 2007+ files containing VBA macros would have 
matched this rule):


yeah, but only the docm/xlsm and frankly on a sane inbound mailserver 
you reject them unconditional - i have even seen servers in the wild 
rejecting xls/doc and use xlsx/docx because they *could* contain macros 
to keep all the crypto malware out of the house


signatures where and will be always too late for the last recent malware 
and hence in 2016 macros and executeables don't belong into emails at all

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-28 Thread demonhunter

Samples can be easily generated by creating a blank Word or Excel document, 
creating an empty macro module with a single empty subroutine, and saving the 
Word/Excel file as a .docm or .xlsm file. Scanning one of these brand new files 
against a saved copy of the signature shows that it matches (implying that all 
or nearly all modern Office 2007+ files containing VBA macros would have 
matched this rule):

$ cat signature.cdb 
Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:

$ clamscan -d signature.cdb example.docm 
example.docm: Win.Trojan.Toa-5368540-0.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 1
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.02 MB (ratio 0.00:1)
Time: 0.013 sec (0 m 0 s)


A .docm and .xlsm file have been submitted to the "Report False Positive" page. 
Hopefully the ClamAV QA system can use these files to prevent bad rules like 
this from being published in the future.

DH


- Original Message -
From: "Kris Deugau" <kdeu...@vianet.ca>
To: "ClamAV users ML" <clamav-users@lists.clamav.net>
Sent: Wednesday, December 28, 2016 1:34:16 PM
Subject: Re: [clamav-users] Probable false positive     *.xlsm  -   
Win.Trojan.Toa-5368540-0

Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter  wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc., 
>> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with 
>> macros typically contain an OLE2 file named vbaProject.bin. This signature 
>> appears as though it would match all standard Open XML files that contain 
>> macros. Examples of false positives should not be necessary to remove this 
>> signature:
> 
> Yes, but as mentioned here several times, the vbaProject.bin file can be 
> added to the QA test environment so that future FP's concerning it will no 
> longer be distributed, but only when we submit the file.

To rephrase demonhunter, the signature is on the filename component, not
the content of the file;  it's a generic name for the container for
macro(s) in a current-generation Office document, which happen to
lightly rebranded .zip files.

I've had a report as well;  I don't yet have an example file though.

-kgd



> 
> -Al-
> 
>> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
>> [daily.cdb] 
>> Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
>>
>> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" 
>> | sigtool --decode-sig
>> VIRUS NAME: Win.Trojan.Toa-5368540-0
>> CONTAINER TYPE: CL_TYPE_ZIP
>> CONTAINER SIZE: ANY
>> FILENAME REGEX: vbaProject\.bin$
>> COMPRESSED FILESIZE: ANY
>> UNCOMPRESSED FILESIZE: ANY
>> ENCRYPTION: IGNORED
>> FILE POSITION: ANY
>> CRC SUM: ANY
>>
>>
>> DH
>>
>>
>> ----- Original Message -----
>> From: "Joel Esler (jesler)" 
>> To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" 
>> <clamav-users@lists.clamav.net>
>> Sent: Tuesday, December 27, 2016 3:25:14 PM
>> Subject: Re: [clamav-users] Probable false positive *.xlsm-
>> Win.Trojan.Toa-5368540-0
>>
>> Are you able to submit the files via the website?
>>
>>
>> Sent from my Apple Watch
>>
>> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote:
>>> In keeping with one false positive reports 
>>> I have 8 CentOS servers report below after Signatures Published daily - 
>>> 22782 update:
>>>
>>> All attachment with extension *.xlsm have the same issue:
>>>
>>> Our content checker found
>>>   virus: Win.Trojan.Toa-5368540-0
>>>
>>> Believe this is a false positive  Would like confirmation and an update if 
>>> possible
>>>
>>> Thanks.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-28 Thread Kris Deugau

Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter  wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc., 
>> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with 
>> macros typically contain an OLE2 file named vbaProject.bin. This signature 
>> appears as though it would match all standard Open XML files that contain 
>> macros. Examples of false positives should not be necessary to remove this 
>> signature:
> 
> Yes, but as mentioned here several times, the vbaProject.bin file can be 
> added to the QA test environment so that future FP's concerning it will no 
> longer be distributed, but only when we submit the file.

To rephrase demonhunter, the signature is on the filename component, not
the content of the file;  it's a generic name for the container for
macro(s) in a current-generation Office document, which happen to
lightly rebranded .zip files.

I've had a report as well;  I don't yet have an example file though.

-kgd



> 
> -Al-
> 
>> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
>> [daily.cdb] 
>> Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
>>
>> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" 
>> | sigtool --decode-sig
>> VIRUS NAME: Win.Trojan.Toa-5368540-0
>> CONTAINER TYPE: CL_TYPE_ZIP
>> CONTAINER SIZE: ANY
>> FILENAME REGEX: vbaProject\.bin$
>> COMPRESSED FILESIZE: ANY
>> UNCOMPRESSED FILESIZE: ANY
>> ENCRYPTION: IGNORED
>> FILE POSITION: ANY
>> CRC SUM: ANY
>>
>>
>> DH
>>
>>
>> - Original Message -
>> From: "Joel Esler (jesler)" 
>> To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" 
>> <clamav-users@lists.clamav.net>
>> Sent: Tuesday, December 27, 2016 3:25:14 PM
>> Subject: Re: [clamav-users] Probable false positive *.xlsm-
>> Win.Trojan.Toa-5368540-0
>>
>> Are you able to submit the files via the website?
>>
>>
>> Sent from my Apple Watch
>>
>> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote:
>>> In keeping with one false positive reports 
>>> I have 8 CentOS servers report below after Signatures Published daily - 
>>> 22782 update:
>>>
>>> All attachment with extension *.xlsm have the same issue:
>>>
>>> Our content checker found
>>>   virus: Win.Trojan.Toa-5368540-0
>>>
>>> Believe this is a false positive  Would like confirmation and an update if 
>>> possible
>>>
>>> Thanks.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-27 Thread Adnan de Castro Donato

sure, sending right now !!!



- Mensagem original -
De: "Joel Esler (jesler)" <jes...@cisco.com>
Para: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "clamav-users" 
<clamav-users@lists.clamav.net>
Enviadas: Terça-feira, 27 de dezembro de 2016 18:25:14
Assunto: Re: [clamav-users] Probable false positive *.xlsm -
Win.Trojan.Toa-5368540-0

Are you able to submit the files via the website?

--
Sent from my Apple Watch

On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato 
<adnan.cas...@stwbrasil.com> wrote:

> 
> In keeping with one false positive reports 
> I have 8 CentOS servers report below after Signatures Published daily - 22782 
> update:
> 
> All attachment with extension *.xlsm have the same issue:
> 
> Our content checker found
>virus: Win.Trojan.Toa-5368540-0
> 
> 
> Believe this is a false positive  Would like confirmation and an update if 
> possible
> 
> Thanks.
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-27 Thread Al Varnell

On Dec 27, 2016, at 1:53 PM, demonhunter  wrote:
> Office Open XML file format (.doc(x|m), .xls(x|m), etc., 
> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with 
> macros typically contain an OLE2 file named vbaProject.bin. This signature 
> appears as though it would match all standard Open XML files that contain 
> macros. Examples of false positives should not be necessary to remove this 
> signature:

Yes, but as mentioned here several times, the vbaProject.bin file can be added 
to the QA test environment so that future FP's concerning it will no longer be 
distributed, but only when we submit the file.

-Al-

> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
> [daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
> 
> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | 
> sigtool --decode-sig
> VIRUS NAME: Win.Trojan.Toa-5368540-0
> CONTAINER TYPE: CL_TYPE_ZIP
> CONTAINER SIZE: ANY
> FILENAME REGEX: vbaProject\.bin$
> COMPRESSED FILESIZE: ANY
> UNCOMPRESSED FILESIZE: ANY
> ENCRYPTION: IGNORED
> FILE POSITION: ANY
> CRC SUM: ANY
> 
> 
> DH
> 
> 
> - Original Message -
> From: "Joel Esler (jesler)" 
> To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" 
> <clamav-users@lists.clamav.net>
> Sent: Tuesday, December 27, 2016 3:25:14 PM
> Subject: Re: [clamav-users] Probable false positive *.xlsm-
> Win.Trojan.Toa-5368540-0
> 
> Are you able to submit the files via the website?
> 
> 
> Sent from my Apple Watch
> 
> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote:
>> In keeping with one false positive reports 
>> I have 8 CentOS servers report below after Signatures Published daily - 
>> 22782 update:
>> 
>> All attachment with extension *.xlsm have the same issue:
>> 
>> Our content checker found
>>   virus: Win.Trojan.Toa-5368540-0
>> 
>> Believe this is a false positive  Would like confirmation and an update if 
>> possible
>> 
>> Thanks.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-27 Thread demonhunter

Office Open XML file format (.doc(x|m), .xls(x|m), etc., 
https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with 
macros typically contain an OLE2 file named vbaProject.bin. This signature 
appears as though it would match all standard Open XML files that contain 
macros. Examples of false positives should not be necessary to remove this 
signature:

$ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
[daily.cdb] Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:

$ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" | 
sigtool --decode-sig
VIRUS NAME: Win.Trojan.Toa-5368540-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: vbaProject\.bin$
COMPRESSED FILESIZE: ANY
UNCOMPRESSED FILESIZE: ANY
ENCRYPTION: IGNORED
FILE POSITION: ANY
CRC SUM: ANY


DH


- Original Message -
From: "Joel Esler (jesler)" <jes...@cisco.com>
To: "Adnan de Castro Donato" <adnan.cas...@stwbrasil.com>, "ClamAV users ML" 
<clamav-users@lists.clamav.net>
Sent: Tuesday, December 27, 2016 3:25:14 PM
Subject: Re: [clamav-users] Probable false positive *.xlsm  -   
Win.Trojan.Toa-5368540-0

Are you able to submit the files via the website?

--
Sent from my Apple Watch

On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato 
<adnan.cas...@stwbrasil.com> wrote:

> 
> In keeping with one false positive reports 
> I have 8 CentOS servers report below after Signatures Published daily - 22782 
> update:
> 
> All attachment with extension *.xlsm have the same issue:
> 
> Our content checker found
>virus: Win.Trojan.Toa-5368540-0
> 
> 
> Believe this is a false positive  Would like confirmation and an update if 
> possible
> 
> Thanks.
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-27 Thread Steve basford

#All# macros inside xlsm files are being blocked due to sig blocking of 
Vbaproject.bin inside.


Cheers,

Steve
Twitter: @sanesecurity



On 27 December 2016 20:08:37 Adnan de Castro Donato 
 wrote:




In keeping with one false positive reports
I have 8 CentOS servers report below after Signatures Published daily - 
22782 update:


All attachment with extension *.xlsm have the same issue:

Our content checker found
virus: Win.Trojan.Toa-5368540-0


Believe this is a false positive  Would like confirmation and an update if 
possible


Thanks.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-27 Thread Joel Esler (jesler)

Are you able to submit the files via the website?

--
Sent from my Apple Watch

On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato 
 wrote:

> 
> In keeping with one false positive reports 
> I have 8 CentOS servers report below after Signatures Published daily - 22782 
> update:
> 
> All attachment with extension *.xlsm have the same issue:
> 
> Our content checker found
>virus: Win.Trojan.Toa-5368540-0
> 
> 
> Believe this is a false positive  Would like confirmation and an update if 
> possible
> 
> Thanks.
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

8 matches

Site Navigation

Mail list logo

Footer information