Mailing List Archive

To whitelist a specific signature from the database you just add the
signature name into a local file with the .ign2 extension and store it
inside /var/lib/clamav.

i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2

HTH
Regards
Brent Clark


On 2019/04/10 13:46, Graeme Fowler via clamav-users wrote:
> Doc.Trojan.Agent-6923110-0 added 5th April (I think).
>
> Detects potentially dodgy VB/VBA/VBScript macros in Excel docs, but we have one user who has a completely genuine spreadsheet which contains several complex database-lookup-related macros which are triggering that sig.
>
> Nothing else has.
>
> Unfortunately I cannot send the file as it contains some fairly sensitive information :(
>
> Graeme
> --
> Graeme Fowler
> Senior IT Services Specialist / LU Postmaster, Systems Infrastructure, IT Services
> Loughborough University
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks; I'm well aware of that.

I can well understand the rationale behind the signature - however it looks like the code is established in normal usage. The user in question requested a more recent copy of the template sheet they work with from the upstream organisation, which too was blocked at the boundary (as I expected).

I'm loathe to put it into the ignore list as there's obviously good reason for the sig in the first place; what I can't see is whether any other Clam sites have seen the same issue, hence raising it here.

It may be that the sig is a bit too broad, but equally it may be entirely based on observed malware - and if we've got genuine files using the same code as malware or the other way round, that leaves us in a bit of a pickle.

Graeme

________________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Brent Clark via clamav-users <clamav-users@lists.clamav.net>
Sent: 10 April 2019 13:38
To: ClamAV users ML
Cc: Brent Clark
Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0

To whitelist a specific signature from the database you just add the
signature name into a local file with the .ign2 extension and store it
inside /var/lib/clamav.

i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2

HTH
Regards
Brent Clark



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hey Graeme,

Doc.Trojan.Agent-6923110-0 has been dropped as of this morning's daily.cvd
build. Thanks for bringing this FP to our attention.

For reference, the signature was generated from a cluster of documents
similar to and including the one below:

https://www.virustotal.com/gui/file/7cf485fb365ef45d1d5253ef104ae418f9cb18dff0500e5bb7c8ad3a32220ab5

From doing some quick research on the underlying VB script contained
within, there is some code that looks a little suspicious, but the vast
majority appears to be code associated with documents produced by Oracle
Web Applications Desktop Integrator (ADI). This signature mistakenly
matches on the latter.

From searching online, I was able to find some clean spreadsheets created
via Oracle Web ADI and have added those to our clean sample database, so
that future signatures which might mistakenly match on these documents and
spreadsheets won't pass our False Positive testing.

Thanks again, and let me know if you have any questions

-Andrew

Andrew Williams
Malware Research Engineer
Cisco Talos


On Wed, Apr 10, 2019 at 1:44 PM Graeme Fowler via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Thanks; I'm well aware of that.
>
> I can well understand the rationale behind the signature - however it
> looks like the code is established in normal usage. The user in question
> requested a more recent copy of the template sheet they work with from the
> upstream organisation, which too was blocked at the boundary (as I
> expected).
>
> I'm loathe to put it into the ignore list as there's obviously good reason
> for the sig in the first place; what I can't see is whether any other Clam
> sites have seen the same issue, hence raising it here.
>
> It may be that the sig is a bit too broad, but equally it may be entirely
> based on observed malware - and if we've got genuine files using the same
> code as malware or the other way round, that leaves us in a bit of a pickle.
>
> Graeme
>
> ________________________________________
> From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of
> Brent Clark via clamav-users <clamav-users@lists.clamav.net>
> Sent: 10 April 2019 13:38
> To: ClamAV users ML
> Cc: Brent Clark
> Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0
>
> To whitelist a specific signature from the database you just add the
> signature name into a local file with the .ign2 extension and store it
> inside /var/lib/clamav.
>
> i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2
>
> HTH
> Regards
> Brent Clark
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>