* Matt Campbell via clamav-users <clamav-users@lists.clamav.net>:
> Hello,
>
> I have an XLSM spreadsheet that ClamAV is detecting malware in. Its popping
> up as Xls.Malware.Sagent-7132944-0 and I have not been able to find any
> information related to this definition. Can anyone shed some light on what
> this relates to?
# sigtool --find-sigs Xls.Malware.Sagent-7132944-0 | sigtool --decode-sigs
VIRUS NAME: Xls.Malware.Sagent-7132944-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
0{00020819-0000-0000-C000-000000000046}
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CallByName
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
ThisWorkbook
This means subsignatur 0, 1 and 2 must all match.
0: contain "0{00020819-0000-0000-C000-000000000046}" anywhere
1: contain "CallByName" anywhere
2: contain "ThisWorkbook" anywhere
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
> Hello,
>
> I have an XLSM spreadsheet that ClamAV is detecting malware in. Its popping
> up as Xls.Malware.Sagent-7132944-0 and I have not been able to find any
> information related to this definition. Can anyone shed some light on what
> this relates to?
# sigtool --find-sigs Xls.Malware.Sagent-7132944-0 | sigtool --decode-sigs
VIRUS NAME: Xls.Malware.Sagent-7132944-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
0{00020819-0000-0000-C000-000000000046}
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CallByName
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
ThisWorkbook
This means subsignatur 0, 1 and 2 must all match.
0: contain "0{00020819-0000-0000-C000-000000000046}" anywhere
1: contain "CallByName" anywhere
2: contain "ThisWorkbook" anywhere
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml