Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
Is the signature "Win.Tool.Hoax-9939325-0" really problematic ?
clamav-users at lists
Apr 11, 2022, 12:05 AM
Post #1 of 4 (469 views)
Permalink
Hi all,

Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0" on one of our executables.
This software was developed by our teams and has not been modified since 2014. And suddenly, an alert is lifted...
After some research in the ClamAV VirusDB announcements, I found that this signature was added on February 18, 2022 ( daily version 26457 ).

We investigated on our side and saw that the alert was lifted because of 5 subsignatures :

* OnClientToHostWindowX
* OnDownloadComplete(
* OnFrameNavigateComplete4
* OnDownloadBegin4
* OnStatusBar

These functions come from a Borland library. In our case, they are used consciously for functional needs.

Does this signature "Win.Tool.Hoax-9939325-0" detect something really problematic that can compromise our system via our executable ?
Is there a way to bypass the lifting of this signature, without completely ignoring it, if it ultimately proves useful against other files?

Kind regards,
Alexis
Re: Is the signature "Win.Tool.Hoax-9939325-0" really problematic ? [ In reply to ]
clamav-users at lists
Apr 11, 2022, 1:08 AM
Post #2 of 4 (469 views)
Permalink
Hi there,

On Mon, 11 Apr 2022, alex via clamav-users wrote:

> Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0"
> on one of our executables. This software was developed by our teams and
> has not been modified since 2014. And suddenly, an alert is lifted...

On a point of order, in English we would say "an alert is raised".
It's clear that you aren't a native English speaker so I understand
that the distinction may be a little confusing to you, but I assure
you that it's no more confusing to you than "lifted" was to me when
first I read it. :)

> After some research in the ClamAV VirusDB announcements, I found
> that this signature was added on February 18, 2022 ...

This begs the question "Why was this almost two months ago?"

> We investigated on our side and saw that the alert was lifted because of 5 subsignatures :
>
> * OnClientToHostWindowX
> * OnDownloadComplete(
> * OnFrameNavigateComplete4
> * OnDownloadBegin4
> * OnStatusBar
>
> These functions come from a Borland library. ...

Is the library still supported, e.g. with security fixes?

> Does ... "Win.Tool.Hoax-9939325-0" detect something really
> problematic that can compromise our system via our executable?

I doubt it, but I'd imagine you should wait for feedback from the
signature team. They're very busy so it might take a while. Other
readers of this list might have some observations.

> Is there a way to bypass the lifting of this signature, without
> completely ignoring it, if it ultimately proves useful against other
> files?

Not directly in ClamAV, but you could either

(1) ensure that whatever feeds files/directories/data to the scanner
ignores your binary (see docs); or

(2) whitelist the signature as a false positive (see docs) and then,
optionally, create your own signature which is based on this one but
which specifically avoids flagging your binary.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Is the signature "Win.Tool.Hoax-9939325-0" really problematic ? [ In reply to ]
clamav-users at lists
Apr 11, 2022, 1:46 AM
Post #3 of 4 (469 views)
Permalink
Thanks for your reply.

You are right, I'm not a native English speaker. I went too fast using automatic translators and I didn't review it enough. :D
I forgot to mention that I tested our binary with other antivirus and none of them raised an alert.
In the meantime, we will look at your possible solutions.


-----Message d'origine-----
De : clamav-users <clamav-users-bounces@lists.clamav.net> De la part de G.W. Haywood via clamav-users
Envoyé : lundi 11 avril 2022 10:08
À : alex via clamav-users <clamav-users@lists.clamav.net>
Cc : G.W. Haywood <clamav@jubileegroup.co.uk>
Objet : ?? Re: [clamav-users] Is the signature "Win.Tool.Hoax-9939325-0" really problematic ?

Hi there,

On Mon, 11 Apr 2022, alex via clamav-users wrote:

> Recently, ClamAV sent us the following alert "Win.Tool.Hoax-9939325-0"
> on one of our executables. This software was developed by our teams
> and has not been modified since 2014. And suddenly, an alert is lifted...

On a point of order, in English we would say "an alert is raised".
It's clear that you aren't a native English speaker so I understand that the distinction may be a little confusing to you, but I assure you that it's no more confusing to you than "lifted" was to me when first I read it. :)

> After some research in the ClamAV VirusDB announcements, I found that
> this signature was added on February 18, 2022 ...

This begs the question "Why was this almost two months ago?"

> We investigated on our side and saw that the alert was lifted because of 5 subsignatures :
>
> * OnClientToHostWindowX
> * OnDownloadComplete(
> * OnFrameNavigateComplete4
> * OnDownloadBegin4
> * OnStatusBar
>
> These functions come from a Borland library. ...

Is the library still supported, e.g. with security fixes?

> Does ... "Win.Tool.Hoax-9939325-0" detect something really problematic
> that can compromise our system via our executable?

I doubt it, but I'd imagine you should wait for feedback from the signature team. They're very busy so it might take a while. Other readers of this list might have some observations.

> Is there a way to bypass the lifting of this signature, without
> completely ignoring it, if it ultimately proves useful against other
> files?

Not directly in ClamAV, but you could either

(1) ensure that whatever feeds files/directories/data to the scanner ignores your binary (see docs); or

(2) whitelist the signature as a false positive (see docs) and then, optionally, create your own signature which is based on this one but which specifically avoids flagging your binary.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://urldefense.com/v3/__https://lists.clamav.net/mailman/listinfo/clamav-users__;!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjcpc-o6a$


Help us build a comprehensive ClamAV guide:
https://urldefense.com/v3/__https://github.com/vrtadmin/clamav-faq__;!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjcgSgAbl$

https://urldefense.com/v3/__http://www.clamav.net/contact.html*ml__;Iw!!La4veWw!ikA_WcTm41JxAwbpxMYyqUIrNN-JPbaAqcaME0hFbgW0OQdj73vFV_0JrMImjVCTtvny$

?? This symbol is automatically added to emails originating from outside of the organization. Be extra careful with hyperlinks and attachments.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Is the signature "Win.Tool.Hoax-9939325-0" really problematic ? [ In reply to ]
clamav-users at lists
Apr 11, 2022, 3:42 AM
Post #4 of 4 (469 views)
Permalink
On Apr 11, 2022, at 12:05 AM, alex via clamav-users <clamav-users@lists.clamav.net> wrote:
> Is there a way to bypass the lifting of this signature, without completely ignoring it, if it ultimately proves useful against other files?

You can include an .fp file. See the documentation for format:

<https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=.fp#file-allow-lists>

-Al-

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal