Mailing List Archive

[clamav-users] Malware found on datadog folder in centos. Is it false-positive?
Hello, i hope everyone is well.

while scanning my database vps clamav found Win.Malware.Generic-9937882-0
on
/opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl,
the server is running Centos 7 so a win based malware not likely dangerous
but it makes me wonder, is it a malware or is it a false positive?

I am new to all this so i would like some guidelines as to what should i
check and how should i proceed...

thanks in advance,
N. Theofanidis
Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive? [ In reply to ]
First I would upload the file to https://virustotal.com to see if any other scanners identify the file as malware.

Sent from my iPad

-Al-

> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
> Hello, i hope everyone is well.
>
> while scanning my database vps clamav found Win.Malware.Generic-9937882-0
> on /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, the server is running Centos 7 so a win based malware not likely dangerous but it makes me wonder, is it a malware or is it a false positive?
>
> I am new to all this so i would like some guidelines as to what should i check and how should i proceed...
>
> thanks in advance,
> N. Theofanidis
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive? [ In reply to ]
FP confirmed (I guess) :
https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d


Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit :
> First I would upload the file to https://virustotal.com to see if any
> other scanners identify the file as malware.
>
> Sent from my iPad
>
> -Al-
>
>> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users
>> <clamav-users@lists.clamav.net> wrote:
>>
>> ?
>> Hello, i hope everyone is well.
>>
>> while scanning my database vps clamav found Win.Malware.Generic-9937882-0
>> on
>> /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl,
>> the server is running Centos 7 so a win based malware not likely
>> dangerous but it makes me wonder, is it a malware or is it a false
>> positive?
>>
>> I am new to all this so i would like some guidelines as to what should
>> i check and how should i proceed...
>>
>> thanks in advance,
>> N. Theofanidis
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive? [ In reply to ]
Well yes, the fact that it was the only scanner would be an indicator of at least a possible False Positive.

Next a check to see when that signature was added shows that it was just yesterday and further that it was dropped today, so clearly an indication that it was found to be incorrect. Updating your daily signature database should eliminate the finding and you can get back to more important work.

And if step three were necessary, I would take a look at the signature itself to see if it’s focused enough. Here’s what it looks like:

sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs
VIRUS NAME: Win.Malware.Generic-9937882-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Expected to find a command ending in '.exe' in shebang line: %ls
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Terminating quote without starting quote for executable in shebang line: %ls
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Expected terminating double-quote for executable in shebang line: %ls
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
Unable to create process using '%ls': %ls
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to find executable in environment: %ls

So it’s looking for all five ascii strings indicated, which might have been enough to uniquely identify whatever windows file that is, but apparently either that file was misidentified as being malware or those strings are common to both the malware and your python lib.

-Al-

On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users <clamav-users@lists.clamav.net> wrote:
> FP confirmed (I guess) :
> https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d
>
>
> Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit :
>> First I would upload the file to https://virustotal.com to see if any other scanners identify the file as malware.
>> Sent from my iPad
>> -Al-
>>> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users <clamav-users@lists.clamav.net> wrote:
>>>
>>> ?
>>> Hello, i hope everyone is well.
>>>
>>> while scanning my database vps clamav found Win.Malware.Generic-9937882-0
>>> on /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, the server is running Centos 7 so a win based malware not likely dangerous but it makes me wonder, is it a malware or is it a false positive?
>>>
>>> I am new to all this so i would like some guidelines as to what should i check and how should i proceed...
>>>
>>> thanks in advance,
>>> N. Theofanidis
>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/contact.html#ml
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Powered by Mailbutler, the email extension that does it all: https://www.mailbutler.io
Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive? [ In reply to ]
Looks like the signature was dropped already because sigtool doesn't find
it anymore after I updated the databases through freshclam.

--Maarten

On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Well yes, the fact that it was the only scanner would be an indicator of
> at least a possible False Positive.
>
> Next a check to see when that signature was added shows that it was just
> yesterday and further that it was dropped today, so clearly an indication
> that it was found to be incorrect. Updating your daily signature database
> should eliminate the finding and you can get back to more important work.
>
> And if step three were necessary, I would take a look at the signature
> itself to see if it’s focused enough. Here’s what it looks like:
>
> sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs
> VIRUS NAME: Win.Malware.Generic-9937882-0
> TDB: Engine:81-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Expected to find a command ending in '.exe' in shebang line: %ls
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Terminating quote without starting quote for executable in shebang line:
> %ls
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Expected terminating double-quote for executable in shebang line: %ls
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> Unable to create process using '%ls': %ls
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Unable to find executable in environment: %ls
>
> So it’s looking for all five ascii strings indicated, which might have
> been enough to uniquely identify whatever windows file that is, but
> apparently either that file was misidentified as being malware or those
> strings are common to both the malware and your python lib.
>
> -Al-
>
> On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> FP confirmed (I guess) :
>
> https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d
>
>
> Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit :
>
> First I would upload the file to https://virustotal.com to see if any
> other scanners identify the file as malware.
>
> Sent from my iPad
>
> -Al-
>
> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>
> ?
>
> Hello, i hope everyone is well.
>
>
> while scanning my database vps clamav found Win.Malware.Generic-9937882-0
>
> on
> /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl,
> the server is running Centos 7 so a win based malware not likely dangerous
> but it makes me wonder, is it a malware or is it a false positive?
>
>
> I am new to all this so i would like some guidelines as to what should i
> check and how should i proceed...
>
>
> thanks in advance,
>
> N. Theofanidis
>
>
>
> _______________________________________________
>
>
> clamav-users mailing list
>
> clamav-users@lists.clamav.net
>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://github.com/vrtadmin/clamav-faq
>
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
>
> clamav-users@lists.clamav.net
>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
>
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj@securiteinfo.com <aj@securiteinfo.com>
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> Powered by Mailbutler, the email extension that does it all:
> https://www.mailbutler.io
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive? [ In reply to ]
Can confirm. Win.Malware.Generic-9937882-0 was dropped from the daily CVD
earlier today.

On Mon, Jan 31, 2022 at 8:54 AM Maarten Broekman via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Looks like the signature was dropped already because sigtool doesn't find
> it anymore after I updated the databases through freshclam.
>
> --Maarten
>
> On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Well yes, the fact that it was the only scanner would be an indicator of
>> at least a possible False Positive.
>>
>> Next a check to see when that signature was added shows that it was just
>> yesterday and further that it was dropped today, so clearly an indication
>> that it was found to be incorrect. Updating your daily signature database
>> should eliminate the finding and you can get back to more important work.
>>
>> And if step three were necessary, I would take a look at the signature
>> itself to see if it’s focused enough. Here’s what it looks like:
>>
>> sigtool -fWin.Malware.Generic-9937882-0|sigtool --decode-sigs
>> VIRUS NAME: Win.Malware.Generic-9937882-0
>> TDB: Engine:81-255,Target:1
>> LOGICAL EXPRESSION: 0&1&2&3&4
>> * SUBSIG ID 0
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> Expected to find a command ending in '.exe' in shebang line: %ls
>> * SUBSIG ID 1
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> Terminating quote without starting quote for executable in shebang line:
>> %ls
>> * SUBSIG ID 2
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> Expected terminating double-quote for executable in shebang line: %ls
>> * SUBSIG ID 3
>> +-> OFFSET: ANY
>> +-> SIGMOD: WIDE
>> +-> DECODED SUBSIGNATURE:
>> Unable to create process using '%ls': %ls
>> * SUBSIG ID 4
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> Unable to find executable in environment: %ls
>>
>> So it’s looking for all five ascii strings indicated, which might have
>> been enough to uniquely identify whatever windows file that is, but
>> apparently either that file was misidentified as being malware or those
>> strings are common to both the malware and your python lib.
>>
>> -Al-
>>
>> On Jan 31, 2022, at 04:22, Arnaud Jacques via clamav-users <
>> clamav-users@lists.clamav.net> wrote:
>>
>> FP confirmed (I guess) :
>>
>> https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d
>>
>>
>> Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit :
>>
>> First I would upload the file to https://virustotal.com to see if any
>> other scanners identify the file as malware.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users <
>> clamav-users@lists.clamav.net> wrote:
>>
>>
>> ?
>>
>> Hello, i hope everyone is well.
>>
>>
>> while scanning my database vps clamav found Win.Malware.Generic-9937882-0
>>
>> on
>> /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl,
>> the server is running Centos 7 so a win based malware not likely dangerous
>> but it makes me wonder, is it a malware or is it a false positive?
>>
>>
>> I am new to all this so i would like some guidelines as to what should i
>> check and how should i proceed...
>>
>>
>> thanks in advance,
>>
>> N. Theofanidis
>>
>>
>>
>> _______________________________________________
>>
>>
>> clamav-users mailing list
>>
>> clamav-users@lists.clamav.net
>>
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>>
>> https://github.com/vrtadmin/clamav-faq
>>
>>
>> http://www.clamav.net/contact.html#ml
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>>
>> clamav-users@lists.clamav.net
>>
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>> Help us build a comprehensive ClamAV guide:
>>
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> --
>> Cordialement / Best regards,
>>
>> Arnaud Jacques
>> Gérant de SecuriteInfo.com
>>
>> Téléphone : +33-(0)3.60.47.09.81
>> E-mail : aj@securiteinfo.com <aj@securiteinfo.com>
>> Site web : https://www.securiteinfo.com
>> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
>> Twitter : @SecuriteInfoCom
>> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> Powered by Mailbutler, the email extension that does it all:
>> https://www.mailbutler.io
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975