Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
That should've been:
----
Sun Nov 1 17:29:10 2015 -> ClamAV update process started at Sun Nov 1
17:29:10 2015
Sun Nov 1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs:
2424225, f-level: 60, builder: neo)
Sun Nov 1 17:29:10 2015 -> daily.cld is up to date (version: 21032,
sigs: 1645531, f-level: 63, builder: shurley)
Sun Nov 1 17:29:10 2015 -> bytecode.cld is up to date (version: 269,
sigs: 47, f-level: 63, builder: anvilleg)
----
That is, daily.cld version 21032 does not report the trojan. 21031 does.
IIRC 21030 reported the trojan on Friday as well.
On 11/1/15 10:25 AM, gedropi@xxxxxxxxxxx wrote:
> ClamAV update process started at Sun Nov 01 05:58:39 2015
>
> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
> builder: neo)
> daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63,
> builder: neo)
> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63,
> builder: anvilleg)
>
> Thanks for your response.
>
>
> On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote:
>> Which versions of the main, daily, and bytecode databases are you using?
>> On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was
>> present in some of the 32-bit Windows installers.
>>
>> If I run clamscan today with the following database versions on the same
>> files the scans come up clean:
>>
>> ----
>> Sun Nov 1 08:27:42 2015 -> ClamAV update process started at Sun Nov 1
>> 08:27:42 2015
>> Sun Nov 1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs:
>> 2424225, f-level: 60, builder: neo)
>> Sun Nov 1 08:27:43 2015 -> daily.cld is up to date (version: 21031,
>> sigs: 1645560, f-level: 63, builder: neo)
>> Sun Nov 1 08:27:43 2015 -> bytecode.cld is up to date (version: 269,
>> sigs: 47, f-level: 63, builder: anvilleg)
>> ----
>>
>>
>> Note that AV false positives happen often enough that we maintain a list:
>>
>> https://wiki.wireshark.org/FalsePositives
>>
>> As does the NSIS team (which tends to impact the Wireshark and WinPcap
>> installers):
>>
>> http://nsis.sourceforge.net/NSIS_False_Positives
>>
>>
>> On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote:
>>> Yes I am. But these trojans were not present a on the 28th of October.
>>> Meaning that the database update since the 28th would have had to have
>>> contained this misinformation. I have contacted ClamAV but they have not
>>> responded yet. SANS is involved in this issue as well.
>>>
>>> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:
>>>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>:
>>>>
>>>>>
>>>>> After discovering the attached trojans during a scan on the 30th, I
>>>>> removed infected files, scrubbed the registry, repeated the scan. Nada.
>>>>> Then, I needed to replace the networking tools by downloading fresh
>>>>> copies of the removed, infected exe files. Upon downloading various
>>>>> tools from their respective websites, I repeated the virus scan to be
>>>>> sure. All newly downloaded exe files were again infected with the same
>>>>> trojans.
>>>>>
>>>>> Since all the Wireshark & WinPCap files were affected, I was wondering
>>>>> if any of you out there have had the same experience?
>>>>>
>>>>> I hope that someone can help me brainstorm for a fix. I need to use the
>>>>> tools of the trade.
>>>>>
>>>>> Thanks for any ideas.
>>>>>
>>>>
>>>> Hi,
>>>>
>>>> Are you using ClamAV by any chance? as reported by Gerald Comb
>>>> (Wireshark's
>>>> leader) on the development list (
>>>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this
>>>> seems to be a false positive reported to clamav.net.
>>>>
>>>> Best regards,
>>>> Pascal.
>>>> ___________________________________________________________________________
>>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives: https://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> ___________________________________________________________________________
>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives: https://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives: https://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>