Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
From: gedropi@xxxxxxxxxxx
Date: Fri, 06 Nov 2015 07:40:54 -0800
Version 21032 was obtained via deleting the old engine and databases and downloading fresh. All but one of the trojans was a false positive that was reported in version 21031. The remaining exe had to get some coding help before it could pass muster. All scans now are clean. Thank you for your help. On Mon, Nov 2, 2015, at 12:19 PM, gedropi@xxxxxxxxxxx wrote: > Regarding..." That is, daily.cld version 21032 does not report the > trojan. 21031 does. > > IIRC 21030 reported the trojan on Friday as well." I am happy to report that 21032 lets Wireshark (and a couple of other apps) out of quarantine but not all apps. Perhaps those will be freed from quarantine in subsequent builds. > > Thank you for your efforts > > On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote: > > That should've been: > > > > ---- > > Sun Nov 1 17:29:10 2015 -> ClamAV update process started at Sun Nov 1 > > 17:29:10 2015 > > Sun Nov 1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs: > > 2424225, f-level: 60, builder: neo) > > Sun Nov 1 17:29:10 2015 -> daily.cld is up to date (version: 21032, > > sigs: 1645531, f-level: 63, builder: shurley) > > Sun Nov 1 17:29:10 2015 -> bytecode.cld is up to date (version: 269, > > sigs: 47, f-level: 63, builder: anvilleg) > > ---- > > > > That is, daily.cld version 21032 does not report the trojan. 21031 does. > > IIRC 21030 reported the trojan on Friday as well. > > > > On 11/1/15 10:25 AM, gedropi@xxxxxxxxxxx wrote: > > > ClamAV update process started at Sun Nov 01 05:58:39 2015 > > > > > > main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, > > > builder: neo) > > > daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63, > > > builder: neo) > > > bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63, > > > builder: anvilleg) > > > > > > Thanks for your response. > > > > > > > > > On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote: > > >> Which versions of the main, daily, and bytecode databases are you using? > > >> On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was > > >> present in some of the 32-bit Windows installers. > > >> > > >> If I run clamscan today with the following database versions on the same > > >> files the scans come up clean: > > >> > > >> ---- > > >> Sun Nov 1 08:27:42 2015 -> ClamAV update process started at Sun Nov 1 > > >> 08:27:42 2015 > > >> Sun Nov 1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs: > > >> 2424225, f-level: 60, builder: neo) > > >> Sun Nov 1 08:27:43 2015 -> daily.cld is up to date (version: 21031, > > >> sigs: 1645560, f-level: 63, builder: neo) > > >> Sun Nov 1 08:27:43 2015 -> bytecode.cld is up to date (version: 269, > > >> sigs: 47, f-level: 63, builder: anvilleg) > > >> ---- > > >> > > >> > > >> Note that AV false positives happen often enough that we maintain a list: > > >> > > >> https://wiki.wireshark.org/FalsePositives > > >> > > >> As does the NSIS team (which tends to impact the Wireshark and WinPcap > > >> installers): > > >> > > >> http://nsis.sourceforge.net/NSIS_False_Positives > > >> > > >> > > >> On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote: > > >>> Yes I am. But these trojans were not present a on the 28th of October. > > >>> Meaning that the database update since the 28th would have had to have > > >>> contained this misinformation. I have contacted ClamAV but they have not > > >>> responded yet. SANS is involved in this issue as well. > > >>> > > >>> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote: > > >>>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>: > > >>>> > > >>>>> > > >>>>> After discovering the attached trojans during a scan on the 30th, I > > >>>>> removed infected files, scrubbed the registry, repeated the scan. Nada. > > >>>>> Then, I needed to replace the networking tools by downloading fresh > > >>>>> copies of the removed, infected exe files. Upon downloading various > > >>>>> tools from their respective websites, I repeated the virus scan to be > > >>>>> sure. All newly downloaded exe files were again infected with the same > > >>>>> trojans. > > >>>>> > > >>>>> Since all the Wireshark & WinPCap files were affected, I was wondering > > >>>>> if any of you out there have had the same experience? > > >>>>> > > >>>>> I hope that someone can help me brainstorm for a fix. I need to use the > > >>>>> tools of the trade. > > >>>>> > > >>>>> Thanks for any ideas. > > >>>>> > > >>>> > > >>>> Hi, > > >>>> > > >>>> Are you using ClamAV by any chance? as reported by Gerald Comb > > >>>> (Wireshark's > > >>>> leader) on the development list ( > > >>>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this > > >>>> seems to be a false positive reported to clamav.net. > > >>>> > > >>>> Best regards, > > >>>> Pascal. > > >>>> ___________________________________________________________________________ > > >>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > > >>>> Archives: https://www.wireshark.org/lists/wireshark-users > > >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > >>> ___________________________________________________________________________ > > >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > > >>> Archives: https://www.wireshark.org/lists/wireshark-users > > >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > >>> > > >> > > >> ___________________________________________________________________________ > > >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > > >> Archives: https://www.wireshark.org/lists/wireshark-users > > >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > ___________________________________________________________________________ > > > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > > > Archives: https://www.wireshark.org/lists/wireshark-users > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > > > > > ___________________________________________________________________________ > > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > > Archives: https://www.wireshark.org/lists/wireshark-users > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Pascal Quantin
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Prev by Date: Re: [Wireshark-users] Wireshark 2.0.0rc2 is now available
- Next by Date: [Wireshark-users] Urgent Wireshark Query
- Previous by thread: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Next by thread: [Wireshark-users] test
- Index(es):