Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
Nonsensical noreplies from ClamAV team
clamav-users at lists
Nov 18, 2021, 10:49 AM
Post #1 of 7 (744 views)
Permalink
Hi all,

even though I filter incoming messages with ClamAV, last Monday I received a mail with two suspicious attachments. They were PE32+ executable (DLL) (GUI) x86-64, for MS Windows. I uploaded the samples to virustotal.com, who reported they were recognized as troyans. I saved the viral message and uploaded it to https://www.clamav.net/reports/malware. On Tuesday I received the following message:

-------- Forwarded Message --------
Subject: ClamAV.net - Your malware submission
Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC)
From: noreply@clamav.com
To: vesely@tana.it



Alessandro Vesely,

Thank you again for your submission.

Your File:
purchase-ORD (SHA256: 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a)


Our initial assessment shows that this file is possibly clean. If you provided a description that suggests otherwise, we will further examine the sample & proceed from there.

-The ClamAV team
-------- End Of Forwarded Message --------


"If you provided" looked like a future unreal conditional to me. It is certainly unreal, given the From:. Anyway, I replied something like the following text:

https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
10 security vendors flagged this file as malicious
40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
Notificaion-30714_20211115.xll

https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
11 security vendors flagged this file as malicious
8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
Document-055293_20211115.xll


However, on Wednesday it bounced, because ClamAV's mail server, tad.clamav.net, is persistently down. I thought that was a temporary hiccup and pehaps the ClamAV team wasn't even aware of it. So I saved the bounce, which contained the whole original message, and uploaded it to the same location, explaining that the attachment was a reply to their message, not a sample. Guess what I received on Thursday?


-------- Forwarded Message --------
Subject: ClamAV.net - Your malware submission
Date: Thu, 18 Nov 2021 08:52:21 +0000 (UTC)
From: noreply@clamav.com
To: vesely@tana.it



Alessandro Vesely,

Thank you again for your submission.

Your File:
reply-to-Clamav-Team (SHA256: e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281)


Our initial assessment shows that this file is possibly clean. If you provided a description that suggests otherwise, we will further examine the sample & proceed from there.

-The ClamAV team
-------- End Of Forwarded Message --------


What's the purpose of such messages?


Meanwhile, tad.clamav.net is still down.

Best
Ale
--















_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Nonsensical noreplies from ClamAV team [ In reply to ]
cmarczewski at sourcefire
Nov 18, 2021, 11:16 AM
Post #2 of 7 (744 views)
Permalink
Hello Alessandro,

Given the SHA256 hashes in those replies, we've confirmed it was the
original e-mail and your subsequent reply that were submitted to us, not
the DLL files themselves. I'll take a look at both binaries and reply back
with the signature names.

Hope this helps!

On Thu, Nov 18, 2021 at 1:49 PM Alessandro Vesely via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi all,
>
> even though I filter incoming messages with ClamAV, last Monday I received
> a mail with two suspicious attachments. They were PE32+ executable (DLL)
> (GUI) x86-64, for MS Windows. I uploaded the samples to virustotal.com,
> who reported they were recognized as troyans. I saved the viral message
> and uploaded it to https://www.clamav.net/reports/malware. On Tuesday I
> received the following message:
>
> -------- Forwarded Message --------
> Subject: ClamAV.net - Your malware submission
> Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC)
> From: noreply@clamav.com
> To: vesely@tana.it
>
>
>
> Alessandro Vesely,
>
> Thank you again for your submission.
>
> Your File:
> purchase-ORD (SHA256:
> 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a)
>
>
> Our initial assessment shows that this file is possibly clean. If you
> provided a description that suggests otherwise, we will further examine the
> sample & proceed from there.
>
> -The ClamAV team
> -------- End Of Forwarded Message --------
>
>
> "If you provided" looked like a future unreal conditional to me. It is
> certainly unreal, given the From:. Anyway, I replied something like the
> following text:
>
>
> https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
> 10 security vendors flagged this file as malicious
> 40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
> Notificaion-30714_20211115.xll
>
>
> https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
> 11 security vendors flagged this file as malicious
> 8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
> Document-055293_20211115.xll
>
>
> However, on Wednesday it bounced, because ClamAV's mail server,
> tad.clamav.net, is persistently down. I thought that was a temporary
> hiccup and pehaps the ClamAV team wasn't even aware of it. So I saved the
> bounce, which contained the whole original message, and uploaded it to the
> same location, explaining that the attachment was a reply to their message,
> not a sample. Guess what I received on Thursday?
>
>
> -------- Forwarded Message --------
> Subject: ClamAV.net - Your malware submission
> Date: Thu, 18 Nov 2021 08:52:21 +0000 (UTC)
> From: noreply@clamav.com
> To: vesely@tana.it
>
>
>
> Alessandro Vesely,
>
> Thank you again for your submission.
>
> Your File:
> reply-to-Clamav-Team (SHA256:
> e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281)
>
>
> Our initial assessment shows that this file is possibly clean. If you
> provided a description that suggests otherwise, we will further examine the
> sample & proceed from there.
>
> -The ClamAV team
> -------- End Of Forwarded Message --------
>
>
> What's the purpose of such messages?
>
>
> Meanwhile, tad.clamav.net is still down.
>
> Best
> Ale
> --
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
Re: Nonsensical noreplies from ClamAV team [ In reply to ]
clamav-users at lists
Nov 18, 2021, 11:26 AM
Post #3 of 7 (744 views)
Permalink
Hi there,

On Thu, 18 Nov 2021, Alessandro Vesely via clamav-users wrote:

> even though I filter incoming messages with ClamAV, last Monday I received a
> mail with two suspicious attachments. They were PE32+ executable (DLL) (GUI)
> x86-64, for MS Windows. I uploaded the samples to virustotal.com, who
> reported they were recognized as troyans. I saved the viral message and
> uploaded it to https://www.clamav.net/reports/malware. On Tuesday I received
> the following message:
> ...

The same thing happened here earlier this week IIRC from one or two of
our automated submissions. As the reply also said

> If you provided a description that suggests otherwise, we will
> further examine the sample & proceed from there.

and we did so provide, I left it there.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Nonsensical noreplies from ClamAV team [ In reply to ]
clamav-users at lists
Nov 18, 2021, 11:55 AM
Post #4 of 7 (744 views)
Permalink
"If you provided a description that suggests otherwise..." is a past tense
conditional referring to the form submission. That phrase is the equivalent
to this longer "If you put information in the description that suggests the
sample is not clean..."


On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 18 Nov 2021, Alessandro Vesely via clamav-users wrote:
>
> > even though I filter incoming messages with ClamAV, last Monday I
> received a
> > mail with two suspicious attachments. They were PE32+ executable (DLL)
> (GUI)
> > x86-64, for MS Windows. I uploaded the samples to virustotal.com, who
> > reported they were recognized as troyans. I saved the viral message and
> > uploaded it to https://www.clamav.net/reports/malware. On Tuesday I
> received
> > the following message:
> > ...
>
> The same thing happened here earlier this week IIRC from one or two of
> our automated submissions. As the reply also said
>
> > If you provided a description that suggests otherwise, we will
> > further examine the sample & proceed from there.
>
> and we did so provide, I left it there.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: Nonsensical noreplies from ClamAV team [ In reply to ]
clamav-users at lists
Nov 18, 2021, 12:08 PM
Post #5 of 7 (744 views)
Permalink
On Thu, 18 Nov 2021, Alessandro Vesely via clamav-users wrote:

> Hi all,
>
> even though I filter incoming messages with ClamAV, last Monday I
received a mail with two suspicious
> attachments. They were PE32+ executable (DLL) (GUI) x86-64, for MS
Windows. I uploaded the samples to
> virustotal.com, who reported they were recognized as troyans. I saved
the viral message and uploaded it to
> https://www.clamav.net/reports/malware. On Tuesday I received the
following message:
>
> -------- Forwarded Message --------
> Subject: ClamAV.net - Your malware submission
> Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC)
> From: noreply@clamav.com
> To: vesely@tana.it
>
>
>
> Alessandro Vesely,
>
> Thank you again for your submission.
>
> Your File:
> purchase-ORD (SHA256:
2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a)
>
>
> Our initial assessment shows that this file is possibly clean. If you
provided a description that suggests
> otherwise, we will further examine the sample & proceed from there.
>
> -The ClamAV team
> -------- End Of Forwarded Message --------

> What's the purpose of such messages?

That is an automated message from the submission system.
My take is that it means that the robot failed to spot any issue,
but a human will read your message anyway and decide whether to
investigate further.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Nonsensical noreplies from ClamAV team [ In reply to ]
clamav-users at lists
Nov 18, 2021, 4:05 PM
Post #6 of 7 (744 views)
Permalink
We’re looking into this.


Sent from my ? iPhone

On Nov 18, 2021, at 14:56, Maarten Broekman via clamav-users <clamav-users@lists.clamav.net> wrote:

?
"If you provided a description that suggests otherwise..." is a past tense conditional referring to the form submission. That phrase is the equivalent to this longer "If you put information in the description that suggests the sample is not clean..."


On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Hi there,

On Thu, 18 Nov 2021, Alessandro Vesely via clamav-users wrote:

> even though I filter incoming messages with ClamAV, last Monday I received a
> mail with two suspicious attachments. They were PE32+ executable (DLL) (GUI)
> x86-64, for MS Windows. I uploaded the samples to virustotal.com<http://virustotal.com>, who
> reported they were recognized as troyans. I saved the viral message and
> uploaded it to https://www.clamav.net/reports/malware. On Tuesday I received
> the following message:
> ...

The same thing happened here earlier this week IIRC from one or two of
our automated submissions. As the reply also said

> If you provided a description that suggests otherwise, we will
> further examine the sample & proceed from there.

and we did so provide, I left it there.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Nonsensical noreplies from ClamAV team [ In reply to ]
cmarczewski at sourcefire
Dec 9, 2021, 9:06 AM
Post #7 of 7 (702 views)
Permalink
Win.Malware.Agent-9914239-0 will be published shortly and covers both DLL
samples.

On Thu, Nov 18, 2021 at 2:16 PM Christopher Marczewski <
cmarczewski@sourcefire.com> wrote:

> Hello Alessandro,
>
> Given the SHA256 hashes in those replies, we've confirmed it was the
> original e-mail and your subsequent reply that were submitted to us, not
> the DLL files themselves. I'll take a look at both binaries and reply back
> with the signature names.
>
> Hope this helps!
>
> On Thu, Nov 18, 2021 at 1:49 PM Alessandro Vesely via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Hi all,
>>
>> even though I filter incoming messages with ClamAV, last Monday I
>> received a mail with two suspicious attachments. They were PE32+
>> executable (DLL) (GUI) x86-64, for MS Windows. I uploaded the samples to
>> virustotal.com, who reported they were recognized as troyans. I saved
>> the viral message and uploaded it to
>> https://www.clamav.net/reports/malware. On Tuesday I received the
>> following message:
>>
>> -------- Forwarded Message --------
>> Subject: ClamAV.net - Your malware submission
>> Date: Tue, 16 Nov 2021 07:23:26 +0000 (UTC)
>> From: noreply@clamav.com
>> To: vesely@tana.it
>>
>>
>>
>> Alessandro Vesely,
>>
>> Thank you again for your submission.
>>
>> Your File:
>> purchase-ORD (SHA256:
>> 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a)
>>
>>
>> Our initial assessment shows that this file is possibly clean. If you
>> provided a description that suggests otherwise, we will further examine the
>> sample & proceed from there.
>>
>> -The ClamAV team
>> -------- End Of Forwarded Message --------
>>
>>
>> "If you provided" looked like a future unreal conditional to me. It is
>> certainly unreal, given the From:. Anyway, I replied something like the
>> following text:
>>
>>
>> https://www.virustotal.com/gui/file/40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
>> 10 security vendors flagged this file as malicious
>> 40392920e907b85591dac15d2f4ca49a477e0401abb3334cda2b45a9a513fd58
>> Notificaion-30714_20211115.xll
>>
>>
>> https://www.virustotal.com/gui/file/8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
>> 11 security vendors flagged this file as malicious
>> 8c0b4c9fe9e49b8eaf449aad36ebb39235835ab2c3a49584be7d0697ecb82c21
>> Document-055293_20211115.xll
>>
>>
>> However, on Wednesday it bounced, because ClamAV's mail server,
>> tad.clamav.net, is persistently down. I thought that was a temporary
>> hiccup and pehaps the ClamAV team wasn't even aware of it. So I saved the
>> bounce, which contained the whole original message, and uploaded it to the
>> same location, explaining that the attachment was a reply to their message,
>> not a sample. Guess what I received on Thursday?
>>
>>
>> -------- Forwarded Message --------
>> Subject: ClamAV.net - Your malware submission
>> Date: Thu, 18 Nov 2021 08:52:21 +0000 (UTC)
>> From: noreply@clamav.com
>> To: vesely@tana.it
>>
>>
>>
>> Alessandro Vesely,
>>
>> Thank you again for your submission.
>>
>> Your File:
>> reply-to-Clamav-Team (SHA256:
>> e9876ec9577e7c1b4a38236a6d18306e57e618a46d4bcfd1837cfd7e9238c281)
>>
>>
>> Our initial assessment shows that this file is possibly clean. If you
>> provided a description that suggests otherwise, we will further examine the
>> sample & proceed from there.
>>
>> -The ClamAV team
>> -------- End Of Forwarded Message --------
>>
>>
>> What's the purpose of such messages?
>>
>>
>> Meanwhile, tad.clamav.net is still down.
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> --
> Christopher Marczewski
> Research Engineer, Talos
> Cisco Systems
> 443-832-2975
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal