Mailing List Archive

Hey Douglas!

Would you like to provide the hash of the file? That would help us confirm
it's a FP. There's also a research about a specific version of Elmedia
Player being trojanized that might provide more insight:
https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/

Best regards,
Lilia

On Tue, Dec 10, 2019 at 9:03 AM Douglas Stinnette <dstinnet@vcu.edu> wrote:

>
> Seems to me that this is a false positive.
> /Applications/Elmedia Player.app/Contents/MacOS/Elmedia Player
> Osx.Trojan.Proton-6352635-0 FOUND
>
> I sent a copy of the file to other vendors to double check it and they
> reported it was not malware.
>
> I have submitted false positives to ClamAV before and never received an
> update on them:
> https://www.clamav.net/reports/fp
>
> What do others do when they get ClamAV false positives?
> Thanks,
> Doug
>
> --
>
>
> Doug Stinnette
>
> VCU Technology Services
>
> Endpoint Security Specialist
>
> Virginia Commonwealth University
>
> 827-0933
>
>
>
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, Social
> Security number or confidential personal information. For more details
> visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

That signature has been in the database since Oct 20, 2017 and is a hash signature, so there's little chance of it being an FP.
[daily.hsb] 17fe5ebacff74bfb6028eb371ceeaf2b:2484384:Osx.Trojan.Proton-6352635-0:73

-Al-
ClamXAV User

On Tue, Dec 10, 2019 at 06:02 AM, Douglas Stinnette wrote:
> Seems to me that this is a false positive.
> /Applications/Elmedia Player.app/Contents/MacOS/Elmedia Player Osx.Trojan.Proton-6352635-0 FOUND
>
> I sent a copy of the file to other vendors to double check it and they reported it was not malware.
>
> I have submitted false positives to ClamAV before and never received an update on them:
> https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>
>
> What do others do when they get ClamAV false positives?
> Thanks,
> Doug

Found an article on it:

https://www.intego.com/mac-security-blog/osxproton-malware-is-back-heres-wha
t-mac-users-need-to-know/







From: clamav-users [mailto:clamav-users-bounces@lists.clamav.net] On Behalf
Of Al Varnell via clamav-users
Sent: Tuesday, December 10, 2019 11:25 AM
To: ClamAV users ML
Cc: Al Varnell
Subject: Re: [clamav-users] Elmedia Player.app detection



That signature has been in the database since Oct 20, 2017 and is a hash
signature, so there's little chance of it being an FP.

[daily.hsb]
17fe5ebacff74bfb6028eb371ceeaf2b:2484384:Osx.Trojan.Proton-6352635-0:73





-Al-

ClamXAV User



On Tue, Dec 10, 2019 at 06:02 AM, Douglas Stinnette wrote:

Seems to me that this is a false positive.
/Applications/Elmedia Player.app/Contents/MacOS/Elmedia Player
Osx.Trojan.Proton-6352635-0 FOUND



I sent a copy of the file to other vendors to double check it and they
reported it was not malware.

I have submitted false positives to ClamAV before and never received an
update on them:
https://www.clamav.net/reports/fp

What do others do when they get ClamAV false positives?
Thanks,
Doug

Nice responses, here is the hash
f9933dfc18107383b4093206daba283d106f86acb6284c92632f5a43143040c6
I provided the file in question to F-Secure, Microsoft and Sophos labs for
manual review and they returned no threat.

Odd that Microsoft still reports threat on Virustotal, my guess is that is
due to autodetection.
https://www.virustotal.com/gui/file/f9933dfc18107383b4093206daba283d106f86acb6284c92632f5a43143040c6/detection


Look forward to your thoughts.
Thanks,
Doug

On Tue, Dec 10, 2019 at 11:33 AM Eric Tykwinski <eric-list@truenet.com>
wrote:

> Found an article on it:
>
>
> https://www.intego.com/mac-security-blog/osxproton-malware-is-back-heres-what-mac-users-need-to-know/
>
>
>
>
>
>
>
> *From:* clamav-users [mailto:clamav-users-bounces@lists.clamav.net] *On
> Behalf Of *Al Varnell via clamav-users
> *Sent:* Tuesday, December 10, 2019 11:25 AM
> *To:* ClamAV users ML
> *Cc:* Al Varnell
> *Subject:* Re: [clamav-users] Elmedia Player.app detection
>
>
>
> That signature has been in the database since Oct 20, 2017 and is a hash
> signature, so there's little chance of it being an FP.
>
> [daily.hsb]
> 17fe5ebacff74bfb6028eb371ceeaf2b:2484384:Osx.Trojan.Proton-6352635-0:73
>
>
>
> -Al-
>
> ClamXAV User
>
>
>
> On Tue, Dec 10, 2019 at 06:02 AM, Douglas Stinnette wrote:
>
> Seems to me that this is a false positive.
> /Applications/Elmedia Player.app/Contents/MacOS/Elmedia Player
> Osx.Trojan.Proton-6352635-0 FOUND
>
>
>
> I sent a copy of the file to other vendors to double check it and they
> reported it was not malware.
>
> I have submitted false positives to ClamAV before and never received an
> update on them:
> https://www.clamav.net/reports/fp
>
> What do others do when they get ClamAV false positives?
> Thanks,
> Doug
>
>
>
>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--


Doug Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.