Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] FP: Doc.Downloader.Emotet-7196349-0
clamav-users at lists
Feb 5, 2020, 6:12 AM
Post #1 of 2 (102 views)
Permalink
This signature is hitting false positives. It seems to be a relatively old
signature, but the subsignatures seem to be rather generic so it's
difficult to know why this is supposed to be malicious.

VIRUS NAME: Doc.Downloader.Emotet-7196349-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Bedfordshire
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Buckinghamshire
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Cambridgeshire
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Fantastic
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Gorgeous

False positive VT scan:
https://www.virustotal.com/gui/file/f5d047b2e88f2ebf7beb2593d877c7b9bd7b25d7c28fde0ca8540e96104556f1/detection

MD5: 6e038caa6be70e02533b0a3c6c223b7d:3536896
Re: [clamav-users] FP: Doc.Downloader.Emotet-7196349-0 [ In reply to ]
demonduck at sourcefire
Feb 5, 2020, 7:20 AM
Post #2 of 2 (101 views)
Permalink
The offending signature will be dropped in the next daily.cvd. Until then,
I'd suggest adding it to your local ignore database (.ign2). See
https://www.clamav.net/documents/whitelist-databases for more information.

Thanks,
demonduck


On Wed, Feb 5, 2020 at 9:13 AM Maarten Broekman via clamav-users <
clamav-users@lists.clamav.net> wrote:

> This signature is hitting false positives. It seems to be a relatively old
> signature, but the subsignatures seem to be rather generic so it's
> difficult to know why this is supposed to be malicious.
>
> VIRUS NAME: Doc.Downloader.Emotet-7196349-0
> TDB: Engine:51-255,Target:2
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Bedfordshire
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Buckinghamshire
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Cambridgeshire
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Fantastic
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Gorgeous
>
> False positive VT scan:
> https://www.virustotal.com/gui/file/f5d047b2e88f2ebf7beb2593d877c7b9bd7b25d7c28fde0ca8540e96104556f1/detection
>
> MD5: 6e038caa6be70e02533b0a3c6c223b7d:3536896
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal