Mailing List Archive

False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0
Hi Everyone

My program has recently started to be flagged
with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total

File hash
2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9

I've tried to reach out to the team through the false-positive reporting
tool with no success for the past two months
What else can I do?

Thanks
Yaron
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Hi there,

On Sat, 9 Jul 2022, Yaron Elharar via clamav-users wrote:

> My program has recently started to be flagged
> with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>
> File hash
> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
>
> I've tried to reach out to the team through the false-positive reporting
> tool with no success for the past two months
> What else can I do?

Did you try the Web form?

https://www.clamav.net/reports/fp

You might also post to the ClamAV virusdb mailing list:

https://lists.clamav.net/mailman/listinfo/clamav-virusdb

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Hi,

Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline.

And the signature is:

% sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
VIRUS NAME: Win.Dropper.Tinba-9943147-0
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
!Win32 .EXE.
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.MPRESS1
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.MPRESS2
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
G(XPTPjxW
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
.)D$H+

You didn't mention the name of your program or where it can be found, so I'm unable to check further, but perhaps the above will allow you to track down what component of the program is being detected.

I suspect someone from the ClamAV Signature Team will spot this shortly, but it is the start of a weekend, so may take a couple of days.

-Al-

> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi Everyone
>
> My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>
> File hash
> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9



Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
that correlates exactly to where it started happening ????

It's a pretty cool case converter called AnyCase
https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1

"... but perhaps the above will allow you to track down what component of
the program is being detected."

I thought about doing that, but I don't know where to start,
it would be great to understand what is happening, and why

Where should I start?



On Sat, Jul 9, 2022 at 12:59 PM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi,
>
> Just FYI, that was added to the ClamAV daily.ldb signature database on Apr
> 9 of this year, which matches your FP reporting effort timeline.
>
> And the signature is:
>
> % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
> VIRUS NAME: Win.Dropper.Tinba-9943147-0
> TDB: Engine:51-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> !Win32 .EXE.
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .MPRESS1
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .MPRESS2
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> G(XPTPjxW
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .)D$H+
>
> You didn't mention the name of your program or where it can be found, so
> I'm unable to check further, but perhaps the above will allow you to track
> down what component of the program is being detected.
>
> I suspect someone from the ClamAV Signature Team will spot this shortly,
> but it is the start of a weekend, so may take a couple of days.
>
> -Al-
>
> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Hi Everyone
>
> My program has recently started to be flagged
> with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>
> File hash
> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
>
>
>
> Powered by *Mailbutler
> <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>* -
> still your inbox, but smarter.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
My capabilities for examining Windows files are extremely limited, given that I'm an AppleMac user, exclusively.

Running clamscan --debug against the file I see the following near the end:

> LibClamAV debug: FP SIGNATURE: 95a6e35279662aa2f26d768b15091a55:4514540:Win.Dropper.Tinba-9943147-0 # Name: n/a, Type: CL_TYPE_MSEXE
> LibClamAV debug: FP SIGNATURE: 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0 # Name: n/a, Type: CL_TYPE_MSEXE
> LibClamAV debug: FP SIGNATURE: 57ec8948de3d8a4bcae9fbca6696d599:3793644:Win.Dropper.Tinba-9943147-0 # Name: n/a, Type: CL_TYPE_MSEXE
> LibClamAV debug: FP SIGNATURE: 701571d9181d39302909ef36ce487d17:4929264:Win.Dropper.Tinba-9943147-0 # Name: AnyCase App Installer v10.93.exe, Type: CL_TYPE_MSEXE
> /Users/<redacted>/Downloads/2022-07-04/AnyCase App Installer v10.93.exe: Win.Dropper.Tinba-9943147-0 FOUND
> LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64
> LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
> LibClamAV debug: cli_magic_scan_desc: returning 1 at line 4982
> LibClamAV debug: bytecode: extracting new file with id 4294967295
> LibClamAV debug: hashtab: Freeing hashset, elements: 7, capacity: 64
> LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
> LibClamAV debug: cli_magic_scan_desc: returning 1 at line 4982
> LibClamAV debug: cli_scanembpe: Infected with Win.Dropper.Tinba-9943147-0
> LibClamAV debug: Win.Dropper.Tinba-9943147-0 found
> LibClamAV debug: cli_magic_scan_desc: returning 1 at line 4982
> LibClamAV debug: Cleaning up phishcheck
> LibClamAV debug: Freeing phishcheck struct
> LibClamAV debug: Phishcheck cleaned up
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 12318966
> Engine version: 0.104.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 13.42 MB
> Data read: 4.70 MB (ratio 2.86:1)
> Time: 39.290 sec (0 m 39 s)
> Start Date: 2022:07:09 08:16:55
> End Date: 2022:07:09 08:17:34

I'm not an expert on this either, but it would appear that there is a valid False Positive entry in the database for four different files, including yours as the last. I can confirm that the md5 hash matches the installer downloaded from your site:

> sigtool --md5 /Users/<redacted>/Downloads/2022-07-04/AnyCase\ App\ Installer\ v10.93.exe
> 701571d9181d39302909ef36ce487d17:4929264:AnyCase App Installer v10.93.exe


So why it's being detected remains a mystery!

-Al-


> On Jul 9, 2022, at 3:21 AM, Yaron Elharar via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> that correlates exactly to where it started happening ????
>
> It's a pretty cool case converter called AnyCase
> https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1 <https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1>
>
> "... but perhaps the above will allow you to track down what component of the program is being detected."
>
> I thought about doing that, but I don't know where to start,
> it would be great to understand what is happening, and why
>
> Where should I start?
>
>
>
> On Sat, Jul 9, 2022 at 12:59 PM Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
> Hi,
>
> Just FYI, that was added to the ClamAV daily.ldb signature database on Apr 9 of this year, which matches your FP reporting effort timeline.
>
> And the signature is:
>
> % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
> VIRUS NAME: Win.Dropper.Tinba-9943147-0
> TDB: Engine:51-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> !Win32 .EXE.
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .MPRESS1
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .MPRESS2
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> G(XPTPjxW
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> .)D$H+
>
> You didn't mention the name of your program or where it can be found, so I'm unable to check further, but perhaps the above will allow you to track down what component of the program is being detected.
>
> I suspect someone from the ClamAV Signature Team will spot this shortly, but it is the start of a weekend, so may take a couple of days.
>
> -Al-
>
>> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Hi Everyone
>>
>> My program has recently started to be flagged with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>>
>> File hash
>> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
>
>
>
> Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation>
>
> https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat



Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Hi there,

On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:

> ...
> ----------- SCAN SUMMARY -----------
> Known viruses: 12318966
> Engine version: 0.104.1
> ...
> ... it would appear that there is a valid False Positive entry in
> the database for four different files ...
> ...
> So why it's being detected remains a mystery!

A guess: I see you're still using 0.104.1, maybe upgrade your ClamAV?

|| https://blog.clamav.net/2022/03/clamav-01050-release-candidate-now.html
||
|| "Fixed an issue causing byte-compare sub-signatures to cause an alert
|| when they match even if other conditions of the given logical
|| signatures were not met."

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Thank you for taking a look, my understanding of this is also limited, but
I'm using 0.105.0.0

With these signatures
ClamAV update process started at Sat Jul 9 19:32:19 2022
daily.cvd database is up-to-date (version: 26596, sigs: 1989075, f-level:
90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90,
builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63,
builder: awillia2)

and this version still flags it, I didn't want to create a new email to the

https://lists.clamav.net/mailman/listinfo/clamav-virusdb

Not to create a duplicate, but it might be necessary
maybe there they can help to understand what is happening



On Sat, Jul 9, 2022 at 7:26 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:
>
> > ...
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 12318966
> > Engine version: 0.104.1
> > ...
> > ... it would appear that there is a valid False Positive entry in
> > the database for four different files ...
> > ...
> > So why it's being detected remains a mystery!
>
> A guess: I see you're still using 0.104.1, maybe upgrade your ClamAV?
>
> || https://blog.clamav.net/2022/03/clamav-01050-release-candidate-now.html
> ||
> || "Fixed an issue causing byte-compare sub-signatures to cause an alert
> || when they match even if other conditions of the given logical
> || signatures were not met."
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Shouldn't make any difference as VirusTotal is likely using 0.105, but upgrading isn't up to me as that's something the ClamXAV developer will eventually get around to.

Sent from my iPad

-Al-
--
ClamXAV User

> On Jul 9, 2022, at 09:25, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> A guess: I see you're still using 0.104.1, maybe upgrade your ClamAV?
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
I've never seen a user post to that list and I've subscribed to it for decades. My impression has always been it's for database update announcements only.

Sent from my iPad

-Al-
--
ClamXAV User

> On Jul 9, 2022, at 09:44, Yaron Elharar via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> I didn't want to create a new email to the
>
> https://lists.clamav.net/mailman/listinfo/clamav-virusdb
>
> Not to create a duplicate, but it might be necessary
> maybe there they can help to understand what is happening
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Hi there,

On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:

> I've never seen a user post to that list and I've subscribed to it
> for decades. My impression has always been it's for database update
> announcements only.

You might be right Al but I took the URI from a list post and ISTR that
a while back Micah suggested it as a way to report FPs which might get
a quicker response than using the Web form or the submission utility.

But these ol' neurones aren't what they used to be.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Did anybody from the ClamAV team had the chance to take a look at this?



On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:
>
> > I've never seen a user post to that list and I've subscribed to it
> > for decades. My impression has always been it's for database update
> > announcements only.
>
> You might be right Al but I took the URI from a list post and ISTR that
> a while back Micah suggested it as a way to report FPs which might get
> a quicker response than using the Web form or the submission utility.
>
> But these ol' neurones aren't what they used to be.
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Looks like allmatch scanning may be confined to the PUA CVDs if the first
signature alert is a PUA signature, as was the case here.

PUA.Win.Packer.Exe-6 alerted on this sample during the report processing,
but no additional signature alerted. A manual scan without PUA signatures
enabled resulted in the expected FP hit.

I've dropped the signature after examining the binary and will check with
the dev team on this case.

On Mon, Jul 11, 2022 at 5:20 PM Yaron Elharar via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Did anybody from the ClamAV team had the chance to take a look at this?
>
>
>
> On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, <
> clamav-users@lists.clamav.net> wrote:
>
>> Hi there,
>>
>> On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:
>>
>> > I've never seen a user post to that list and I've subscribed to it
>> > for decades. My impression has always been it's for database update
>> > announcements only.
>>
>> You might be right Al but I took the URI from a list post and ISTR that
>> a while back Micah suggested it as a way to report FPs which might get
>> a quicker response than using the Web form or the submission utility.
>>
>> But these ol' neurones aren't what they used to be.
>>
>> --
>>
>> 73,
>> Ged.
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Since Monday, we investigated a little further and found that the executable is extracted by the MPRESS unpacker a part of our bytecode.cvd signature set, and then once unpacked it alerted with the Win.Dropper.Tinba-9943147-0 signature. It makes sense that if it could be unpacked with the MPRESS unpacker that it would also alert with the PUA.Win.Packer.Exe-6 signature. The reason that the Win.Dropper.Tinba-9943147-0 signature did not alert during the false positive report processing is because of a bug wherein bytecode signatures will not run if a signature alert already occurred, even in all-match mode. I am working on a fix for this now, while I work on other improvements to the all-match feature.

I found that the Win.Dropper.Tinba-9943147-0 signature was highly effective at detecting malware, with approximately 10,060 hits on virus total and a relatively low false positive rate: https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-0/files.
So, we have added the signature back, as Win.Dropper.Tinba-9943147-1, and it is already beginning to detect malware again https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-1/files).

Yaron,

For now, your application is instead added as a hash-based FP signature to our daily.cvd database to prevent the false positive. I would be curious to know if there is anything unusual in your application build process that would help me understand why ClamAV thinks the application is packed using the MPRESS packer. I suspect that future builds of your application will have the same issue unless we are able to refine the detection or change how your software is built to prevent the detection.

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Christopher Marczewski <cmarczewski@sourcefire.com>
Sent: Monday, July 11, 2022 4:48 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Looks like allmatch scanning may be confined to the PUA CVDs if the first signature alert is a PUA signature, as was the case here.

PUA.Win.Packer.Exe-6 alerted on this sample during the report processing, but no additional signature alerted. A manual scan without PUA signatures enabled resulted in the expected FP hit.

I've dropped the signature after examining the binary and will check with the dev team on this case.

On Mon, Jul 11, 2022 at 5:20 PM Yaron Elharar via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Did anybody from the ClamAV team had the chance to take a look at this?



On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Hi there,

On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:

> I've never seen a user post to that list and I've subscribed to it
> for decades. My impression has always been it's for database update
> announcements only.

You might be right Al but I took the URI from a list post and ISTR that
a while back Micah suggested it as a way to report FPs which might get
a quicker response than using the Web form or the submission utility.

But these ol' neurones aren't what they used to be.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Hi Micah

Sorry about the delayed response, Interesting,
My application does use mpress and inno setup, as part of the build
process. So it makes sense that it is detected.
You can also see that in the details tab at VirusTotal, but why would this
by itself cause a trigger? Is there something wrong with the mpress packer?
or with using that packer?

All The Best
Yaron Elharar









On Thu, Jul 14, 2022 at 8:04 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Since Monday, we investigated a little further and found that the
> executable is extracted by the MPRESS unpacker a part of our bytecode.cvd
> signature set, and then once unpacked it alerted with the
> Win.Dropper.Tinba-9943147-0 signature. It makes sense that if it could be
> unpacked with the MPRESS unpacker that it would also alert with the
> PUA.Win.Packer.Exe-6 signature. The reason that the
> Win.Dropper.Tinba-9943147-0 signature did not alert during the false
> positive report processing is because of a bug wherein bytecode signatures
> will not run if a signature alert already occurred, even in all-match mode.
> I am working on a fix for this now, while I work on other improvements to
> the all-match feature.
>
> I found that the Win.Dropper.Tinba-9943147-0 signature was highly
> effective at detecting malware, with approximately 10,060 hits on virus
> total and a relatively low false positive rate:
> https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-0/files.
>
> So, we have added the signature back, as Win.Dropper.Tinba-9943147-1, and
> it is already beginning to detect malware again
> https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-1/files).
>
>
> Yaron,
>
> For now, your application is instead added as a hash-based FP signature to
> our daily.cvd database to prevent the false positive. I would be curious to
> know if there is anything unusual in your application build process that
> would help me understand why ClamAV thinks the application is packed using
> the MPRESS packer. I suspect that future builds of your application will
> have the same issue unless we are able to refine the detection or change
> how your software is built to prevent the detection.
>
> Regards,
> Micah
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> ------------------------------
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of
> Christopher Marczewski <cmarczewski@sourcefire.com>
> *Sent:* Monday, July 11, 2022 4:48 PM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Subject:* Re: [clamav-users] False positive, My program is recently
> Started to be flagged with Win.Dropper.Tinba-9943147-0
>
> Looks like allmatch scanning may be confined to the PUA CVDs if the first
> signature alert is a PUA signature, as was the case here.
>
> PUA.Win.Packer.Exe-6 alerted on this sample during the report processing,
> but no additional signature alerted. A manual scan without PUA signatures
> enabled resulted in the expected FP hit.
>
> I've dropped the signature after examining the binary and will check with
> the dev team on this case.
>
> On Mon, Jul 11, 2022 at 5:20 PM Yaron Elharar via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Did anybody from the ClamAV team had the chance to take a look at this?
>
>
>
> On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, <
> clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:
>
> > I've never seen a user post to that list and I've subscribed to it
> > for decades. My impression has always been it's for database update
> > announcements only.
>
> You might be right Al but I took the URI from a list post and ISTR that
> a while back Micah suggested it as a way to report FPs which might get
> a quicker response than using the Web form or the submission utility.
>
> But these ol' neurones aren't what they used to be.
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
>
>
> --
> Christopher Marczewski
> Research Engineer, Talos
> Cisco Systems
> 443-832-2975
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
Re: False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0 [ In reply to ]
Hi Yaron,

There's nothing specifically wrong with mpress, or inno setup for that matter. It's just that mpress, and similar PE packers (UPX, PECompact, etc) are popular with malware. This is why we try to unpack it and have signatures that include mpress as a factor for detection.

But you're right, Mpress alone should not be enough to cause a trigger. In this signature, the additional patterns beyond those for identifying MPRESS-unpacked programs were not unique enough, happen to match on something in your app. We can try to improve the signature to make it more specific.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Yaron Elharar via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, July 18, 2022 12:09 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Yaron Elharar <yaron.elh@anycaseapp.com>
Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Hi Micah

Sorry about the delayed response, Interesting,
My application does use mpress and inno setup, as part of the build process. So it makes sense that it is detected.
You can also see that in the details tab at VirusTotal, but why would this by itself cause a trigger? Is there something wrong with the mpress packer?
or with using that packer?

All The Best
Yaron Elharar









On Thu, Jul 14, 2022 at 8:04 PM Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Since Monday, we investigated a little further and found that the executable is extracted by the MPRESS unpacker a part of our bytecode.cvd signature set, and then once unpacked it alerted with the Win.Dropper.Tinba-9943147-0 signature. It makes sense that if it could be unpacked with the MPRESS unpacker that it would also alert with the PUA.Win.Packer.Exe-6 signature. The reason that the Win.Dropper.Tinba-9943147-0 signature did not alert during the false positive report processing is because of a bug wherein bytecode signatures will not run if a signature alert already occurred, even in all-match mode. I am working on a fix for this now, while I work on other improvements to the all-match feature.

I found that the Win.Dropper.Tinba-9943147-0 signature was highly effective at detecting malware, with approximately 10,060 hits on virus total and a relatively low false positive rate: https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-0/files.
So, we have added the signature back, as Win.Dropper.Tinba-9943147-1, and it is already beginning to detect malware again https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-1/files).

Yaron,

For now, your application is instead added as a hash-based FP signature to our daily.cvd database to prevent the false positive. I would be curious to know if there is anything unusual in your application build process that would help me understand why ClamAV thinks the application is packed using the MPRESS packer. I suspect that future builds of your application will have the same issue unless we are able to refine the detection or change how your software is built to prevent the detection.

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net<mailto:clamav-users-bounces@lists.clamav.net>> on behalf of Christopher Marczewski <cmarczewski@sourcefire.com<mailto:cmarczewski@sourcefire.com>>
Sent: Monday, July 11, 2022 4:48 PM
To: ClamAV users ML <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Looks like allmatch scanning may be confined to the PUA CVDs if the first signature alert is a PUA signature, as was the case here.

PUA.Win.Packer.Exe-6 alerted on this sample during the report processing, but no additional signature alerted. A manual scan without PUA signatures enabled resulted in the expected FP hit.

I've dropped the signature after examining the binary and will check with the dev team on this case.

On Mon, Jul 11, 2022 at 5:20 PM Yaron Elharar via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Did anybody from the ClamAV team had the chance to take a look at this?



On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Hi there,

On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:

> I've never seen a user post to that list and I've subscribed to it
> for decades. My impression has always been it's for database update
> announcements only.

You might be right Al but I took the URI from a list post and ISTR that
a while back Micah suggested it as a way to report FPs which might get
a quicker response than using the Web form or the submission utility.

But these ol' neurones aren't what they used to be.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat