tshaw at oitc
May 7, 2012, 5:52 PM
Post #11 of 13
On May 7, 2012, at 8:35 PM, Pepijn Schmitz wrote:
> Hi Al,
> On 07-05-12 20:44, Al Varnell wrote:
>>> And is there no place where I can find more information about the trojan
>>> ClamAV thinks it is detecting? Surely there is more information than a
>>> hex string, somewhere?
>> The only one that might know something about it is the member of the
>> signature team that published it (Alain Zidouemba) who probably isn't going
>> to remember what he did back on 19 April unless he took good notes:
> I must say the lack of transparency is bothering me a little. I'm used
> to antivirus programs giving me access to a detailed database with
> information about the threats they claim to detect, so I can make my own
> determination of how likely something is to be an actual threat and what
> it does and how dangerous it is, or whether it is just a theoretical
> threat, or a likely false positive.
>>> Submission-ID: 42631477
>>> Sender: Virus Total
>>> Sender: Anonymous
>>> Added: Trojan.Agent-281708
>> This says it originated at VirusTotal.
> It's also strange that Virus Total is saying that ClamAV (and only
> ClamAV) is claiming the file contains a trojan, and ClamAV says that
> Virus Total is the source for that information. This seems like a
> circular chain of evidence to me, which could prove anything, and
> therefore nothing.
> And when I search for these names and strings, all I find are Virus
> Total reports, and lists of threats claimed to be detected by various
> products, but no actual information about the alleged trojans themselves
> (except that they're "highly dangerous"). It's all very mysterious, and
> it doesn't inspire confidence in me in the accuracy of these detections,
> I'm sorry to say, especially given my own current experience.
>> When I do a Google search for
>> "74da9128149f4e678783b4125095d396 +site:virustotal.com"
>> I get 6 hits, several of which show a VBA32 detection of
> So I see. Thanks for the tip. In most of them the only other detection
> is once again by ClamAV though. It seems likely to me that those are all
> false positives too. They all seem to be installers or uninstallers,
> perhaps something about that is triggering ClamAV and VBA32. When I
> search for this "TrojanBanker.Qhost.aaji" trojan, once again I can find
> no concrete information about it whatsoever, so unfortunately it doesn't
> really help in identifying what it is that ClamAV thinks my program is
> infected with...
Not sure what your issue is. First, virus names are not uniform. You should not expect them to be. As for you assertion that other AV's provide detailed info as to why they detected I would say to you that you are being naive.
As for your statement about circular reference. VT supplies every sample submitted to all AV vendors. Each vendor determines if they even wish to process a submittal. In this case CalmAV did and, per Edwin's earlier response, a MD5 signature was generated around a piece of the executable sample. So if you are concerned about your app which you seem to be, you can 1) use sigtool to examine your app to see where you might further want to analyze to change, 2) submit a fp report to ClamAV, or 3) since the sig is an md5 recompile your app with some slight changes such as adding extra constants to change the md5 and you should be fine.
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net