Hi Yaron,
There's nothing specifically wrong with mpress, or inno setup for that matter. It's just that mpress, and similar PE packers (UPX, PECompact, etc) are popular with malware. This is why we try to unpack it and have signatures that include mpress as a factor for detection.
But you're right, Mpress alone should not be enough to cause a trigger. In this signature, the additional patterns beyond those for identifying MPRESS-unpacked programs were not unique enough, happen to match on something in your app. We can try to improve the signature to make it more specific.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Yaron Elharar via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, July 18, 2022 12:09 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Yaron Elharar <yaron.elh@anycaseapp.com>
Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0
Hi Micah
Sorry about the delayed response, Interesting,
My application does use mpress and inno setup, as part of the build process. So it makes sense that it is detected.
You can also see that in the details tab at VirusTotal, but why would this by itself cause a trigger? Is there something wrong with the mpress packer?
or with using that packer?
All The Best
Yaron Elharar
On Thu, Jul 14, 2022 at 8:04 PM Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Since Monday, we investigated a little further and found that the executable is extracted by the MPRESS unpacker a part of our bytecode.cvd signature set, and then once unpacked it alerted with the Win.Dropper.Tinba-9943147-0 signature. It makes sense that if it could be unpacked with the MPRESS unpacker that it would also alert with the PUA.Win.Packer.Exe-6 signature. The reason that the Win.Dropper.Tinba-9943147-0 signature did not alert during the false positive report processing is because of a bug wherein bytecode signatures will not run if a signature alert already occurred, even in all-match mode. I am working on a fix for this now, while I work on other improvements to the all-match feature.
I found that the Win.Dropper.Tinba-9943147-0 signature was highly effective at detecting malware, with approximately 10,060 hits on virus total and a relatively low false positive rate:
https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-0/files. So, we have added the signature back, as Win.Dropper.Tinba-9943147-1, and it is already beginning to detect malware again
https://www.virustotal.com/gui/search/clamav%253AWin.Dropper.Tinba-9943147-1/files).
Yaron,
For now, your application is instead added as a hash-based FP signature to our daily.cvd database to prevent the false positive. I would be curious to know if there is anything unusual in your application build process that would help me understand why ClamAV thinks the application is packed using the MPRESS packer. I suspect that future builds of your application will have the same issue unless we are able to refine the detection or change how your software is built to prevent the detection.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net<mailto:clamav-users-bounces@lists.clamav.net>> on behalf of Christopher Marczewski <cmarczewski@sourcefire.com<mailto:cmarczewski@sourcefire.com>>
Sent: Monday, July 11, 2022 4:48 PM
To: ClamAV users ML <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0
Looks like allmatch scanning may be confined to the PUA CVDs if the first signature alert is a PUA signature, as was the case here.
PUA.Win.Packer.Exe-6 alerted on this sample during the report processing, but no additional signature alerted. A manual scan without PUA signatures enabled resulted in the expected FP hit.
I've dropped the signature after examining the binary and will check with the dev team on this case.
On Mon, Jul 11, 2022 at 5:20 PM Yaron Elharar via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Did anybody from the ClamAV team had the chance to take a look at this?
On Sun, 10 Jul 2022, 9:27 G.W. Haywood via clamav-users, <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
Hi there,
On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:
> I've never seen a user post to that list and I've subscribed to it
> for decades. My impression has always been it's for database update
> announcements only.
You might be right Al but I took the URI from a list post and ISTR that
a while back Micah suggested it as a way to report FPs which might get
a quicker response than using the Web form or the submission utility.
But these ol' neurones aren't what they used to be.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat _______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat --
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat