Discussion:
[clamav-users] Same file, different signatures detected
Albrecht, Peter
2018-08-07 07:20:25 UTC
Permalink
Hi,

We have whitelisted certain signatures for files which are only detected by
ClamAV to be potentially malicious. And now we face the problem that the
same files are reported again, but with a different signature. I already had
this behaviour when I tested with the EICAR test virus.

The signatures in question are now:

Html.Malware.Agent-6625344-0 (whitelisted already)
Html.Malware.Agent-6625164-0 (new signature for the same files)

After whitelisting the latter one, ClamAV comes again with a new signature:

Html.Malware.Agent-6625283-0

It looks like there are multiple signatures defined for the same file. What
would you need from me to investigate further?

We are using ClamAV 0.99.4 on Linux. The virus signatures are updated
directly before running clamscan.

Regards,

Peter

Peter Albrecht
Senior Linux Administrator 

Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com
________________________________________________________________________________________________________

Amtsgericht München HRB Nummer 238 150

Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou

VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!

CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever. 
Thank you for your cooperation.

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2018-08-07 08:30:08 UTC
Permalink
I don't see how that is even remotely possibly. They are three completely different hash signatures:

[daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
[daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
[daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73

You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?

-Al-

On Tue, Aug 07, 2018 at 12:20 AM, Albrecht, Peter wrote:
> Hi,
>
> We have whitelisted certain signatures for files which are only detected by
> ClamAV to be potentially malicious. And now we face the problem that the
> same files are reported again, but with a different signature. I already had
> this behaviour when I tested with the EICAR test virus.
>
> The signatures in question are now:
>
> Html.Malware.Agent-6625344-0 (whitelisted already)
> Html.Malware.Agent-6625164-0 (new signature for the same files)
>
> After whitelisting the latter one, ClamAV comes again with a new signature:
>
> Html.Malware.Agent-6625283-0
>
> It looks like there are multiple signatures defined for the same file. What
> would you need from me to investigate further?
>
> We are using ClamAV 0.99.4 on Linux. The virus signatures are updated
> directly before running clamscan.
>
> Regards,
>
> Peter
>
> Peter Albrecht
Albrecht, Peter
2018-08-07 08:54:06 UTC
Permalink
Hi,

> I don't see how that is even remotely possibly. They are three completely different hash signatures:
>
>[daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>[daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>[daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>
>You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?

I have submitted two files which have been reported. Their MD5 sums are:

88cc3123fce88d61b7c2cdbfc33542c5 httpclient-4.3.3.jar
9221d898bfa2fa19fa9bc307351f34a1 storm-submit-tools-1.1.1.jar

Strangely, they are reported with the same signature. And after whitelisting the first
one, the second one is reported. And then the third ...

This started about 10 days ago, nothing has been reported before that.

Thanks,

Peter Albrecht
Senior Linux Administrator 

Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com
________________________________________________________________________________________________________

Amtsgericht München HRB Nummer 238 150

Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou

VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!

CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever. 
Thank you for your cooperation.

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Maarten Broekman
2018-08-07 11:00:25 UTC
Permalink
JAR files can be unpacked like tarballs so it is likely that there is a common file in each that matches those hashes.

Maarten
Sent from a tiny keyboard

> On Aug 7, 2018, at 04:54, Albrecht, Peter <***@wirecard.com> wrote:
>
> Hi,
>
>> I don't see how that is even remotely possibly. They are three completely different hash signatures:
>>
>> [daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>> [daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>> [daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>>
>> You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?
>
> I have submitted two files which have been reported. Their MD5 sums are:
>
> 88cc3123fce88d61b7c2cdbfc33542c5 httpclient-4.3.3.jar
> 9221d898bfa2fa19fa9bc307351f34a1 storm-submit-tools-1.1.1.jar
>
> Strangely, they are reported with the same signature. And after whitelisting the first
> one, the second one is reported. And then the third ...
>
> This started about 10 days ago, nothing has been reported before that.
>
> Thanks,
>
> Peter Albrecht
> Senior Linux Administrator
>
> Wirecard Service Technologies GmbH
> Einsteinring 35 | 85609 Aschheim | Germany
> Tel: +49 (0) 89 4424-191076
> https://www.wirecard.com
> ________________________________________________________________________________________________________
>
> Amtsgericht München HRB Nummer 238 150
>
> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
>
> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
>
> CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
> not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
> use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever.
> Thank you for your cooperation.
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clama
Joel Esler (jesler)
2018-08-07 11:35:38 UTC
Permalink
Correct. Jar files are essentially zip files.

Sent from my iPhone

> On Aug 7, 2018, at 07:00, Maarten Broekman <***@gmail.com> wrote:
>
> JAR files can be unpacked like tarballs so it is likely that there is a common file in each that matches those hashes.
>
> Maarten
> Sent from a tiny keyboard
>
>> On Aug 7, 2018, at 04:54, Albrecht, Peter <***@wirecard.com> wrote:
>>
>> Hi,
>>
>>> I don't see how that is even remotely possibly. They are three completely different hash signatures:
>>>
>>> [daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
>>> [daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
>>> [daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73
>>>
>>> You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?
>>
>> I have submitted two files which have been reported. Their MD5 sums are:
>>
>> 88cc3123fce88d61b7c2cdbfc33542c5 httpclient-4.3.3.jar
>> 9221d898bfa2fa19fa9bc307351f34a1 storm-submit-tools-1.1.1.jar
>>
>> Strangely, they are reported with the same signature. And after whitelisting the first
>> one, the second one is reported. And then the third ...
>>
>> This started about 10 days ago, nothing has been reported before that.
>>
>> Thanks,
>>
>> Peter Albrecht
>> Senior Linux Administrator
>>
>> Wirecard Service Technologies GmbH
>> Einsteinring 35 | 85609 Aschheim | Germany
>> Tel: +49 (0) 89 4424-191076
>> https://www.wirecard.com
>> ________________________________________________________________________________________________________
>>
>> Amtsgericht München HRB Nummer 238 150
>>
>> Geschäftsführer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou
>>
>> VERTRAULICHE INFORMATIONEN! Diese E-Mail enthält vertrauliche Informationen und ist nur für den berechtigten Empfänger
>> bestimmt. Wenn diese E-Mail nicht für Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurückzusenden und anschließend
>> auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dürfen Sie weder nutzen, noch verarbeiten oder
>> Dritten zugänglich machen, gleich in welcher Form. Wir danken für Ihre Kooperation!
>>
>> CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
>> not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
>> use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever.
>> Thank you for your cooperation.
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-***@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.
Micah Snyder (micasnyd)
2018-08-07 15:23:37 UTC
Permalink
If you're concerned that they may be flagging with multiple signatures, you can also test using:

clamscan --allmatch

It will scan for as many signatures as possible instead of just returning the first one it finds.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Aug 7, 2018, at 7:35 AM, Joel Esler (jesler) <***@cisco.com<mailto:***@cisco.com>> wrote:

Correct. Jar files are essentially zip files.

Sent from my iPhone

On Aug 7, 2018, at 07:00, Maarten Broekman <***@gmail.com<mailto:***@gmail.com>> wrote:

JAR files can be unpacked like tarballs so it is likely that there is a common file in each that matches those hashes.

Maarten
Sent from a tiny keyboard

On Aug 7, 2018, at 04:54, Albrecht, Peter <***@wirecard.com<mailto:***@wirecard.com>> wrote:

Hi,

I don't see how that is even remotely possibly. They are three completely different hash signatures:

[daily.hsb] 9027093eab2a193081a763001e947371:4292:Html.Malware.Agent-6625344-0:73
[daily.hsb] 5591165097d53565d4e5f4e9fda8241a:7367:Html.Malware.Agent-6625164-0:73
[daily.hsb] f4116176a108054001a0e29e2ea105e6:6996:Html.Malware.Agent-6625283-0:73

You should have already submitted this file to ClamAV as a false positive, so what was it's MD5 hash?

I have submitted two files which have been reported. Their MD5 sums are:

88cc3123fce88d61b7c2cdbfc33542c5 httpclient-4.3.3.jar
9221d898bfa2fa19fa9bc307351f34a1 storm-submit-tools-1.1.1.jar

Strangely, they are reported with the same signature. And after whitelisting the first
one, the second one is reported. And then the third ...

This started about 10 days ago, nothing has been reported before that.

Thanks,

Peter Albrecht
Senior Linux Administrator

Wirecard Service Technologies GmbH
Einsteinring 35 | 85609 Aschheim | Germany
Tel: +49 (0) 89 4424-191076
https://www.wirecard.com
________________________________________________________________________________________________________

Amtsgericht MÃŒnchen HRB Nummer 238 150

GeschÀftsfÌhrer: Thomas Neef, Susanne Steidl, Yiannakis Ioannou

VERTRAULICHE INFORMATIONEN! Diese E-Mail enthÀlt vertrauliche Informationen und ist nur fÌr den berechtigten EmpfÀnger
bestimmt. Wenn diese E-Mail nicht fÃŒr Sie bestimmt ist, bitten wir Sie, diese E-Mail an uns zurÃŒckzusenden und anschließend
auf Ihrem Computer und Mail-Server zu löschen. Solche E-Mails und Anlagen dÌrfen Sie weder nutzen, noch verarbeiten oder
Dritten zugÀnglich machen, gleich in welcher Form. Wir danken fÌr Ihre Kooperation!

CONFIDENTIAL! This email contains confidential information and is intended for the authorized recipient only. If you are
not an authorised recipient please return the email to us and then delete it from your computer and mail-server. You may neither
use nor edit any such emails including attachments, nor make them accessible to third parties in any manner whatsoever.
Thank you for your cooperation.

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Loading...