Discussion:
[clamav-users] Source for virus definitions?
Orion Poplawski
2018-01-30 16:50:37 UTC
Permalink
How can I determine what exactly is triggering a match?

$ clamscan IguanaTex_v1_55.ppam
IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND

I'd like to know what exactly was matched, but I'm not being able to find
where the source for the virus definitions are.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane ***@nwra.com
Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2018-01-31 00:17:44 UTC
Permalink
It's an MD5 hash/file size match:

sigtool -fDoc.Dropper.Agent-6384732-0
[daily.hsb] cb501b0f7d2a700c06ec6733c71558bf:772096:Doc.Dropper.Agent-6384732-0:73

-Al-
ClamXAV User
Post by Orion Poplawski
How can I determine what exactly is triggering a match?
$ clamscan IguanaTex_v1_55.ppam
IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND
I'd like to know what exactly was matched, but I'm not being able to find
where the source for the virus definitions are.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Orion Poplawski
2018-02-01 23:45:21 UTC
Permalink
Thaks for that. Took me a bit to realize I had to unpack the .ppam file to
find the match.

I'm still curious to know why that file got marked as bad. If there is a
specific cause for concern - or just that it is a 'suspicious' set of macros
as olevba shows:

| Suspicious | Kill | May delete a file
| Suspicious | Chr | May attempt to obfuscate specific
| | | strings (use option --deobf to
| | | deobfuscate)
| Suspicious | Open | May open a file
| Suspicious | shell | May run an executable file or a syste
| | | command
....
Post by Al Varnell
sigtool -fDoc.Dropper.Agent-6384732-0
[daily.hsb] cb501b0f7d2a700c06ec6733c71558bf:772096:Doc.Dropper.Agent-6384732-0:73
-Al-
ClamXAV User
Post by Orion Poplawski
How can I determine what exactly is triggering a match?
$ clamscan IguanaTex_v1_55.ppam
IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND
I'd like to know what exactly was matched, but I'm not being able to find
where the source for the virus definitions are.
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane ***@nwra.com
Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Loading...