Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc

Date: Mon, 02 Nov 2015 12:19:35 -0800
Regarding..." That is, daily.cld version 21032 does not report the
trojan. 21031 does.
> IIRC 21030 reported the trojan on Friday as well."  I am happy to report that 21032 lets Wireshark (and a couple of other apps) out of quarantine but not all apps.  Perhaps those will be freed from quarantine in subsequent builds.

Thank you for your efforts

On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote:
> That should've been:
> 
> ----
> Sun Nov  1 17:29:10 2015 -> ClamAV update process started at Sun Nov  1
> 17:29:10 2015
> Sun Nov  1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs:
> 2424225, f-level: 60, builder: neo)
> Sun Nov  1 17:29:10 2015 -> daily.cld is up to date (version: 21032,
> sigs: 1645531, f-level: 63, builder: shurley)
> Sun Nov  1 17:29:10 2015 -> bytecode.cld is up to date (version: 269,
> sigs: 47, f-level: 63, builder: anvilleg)
> ----
> 
> That is, daily.cld version 21032 does not report the trojan. 21031 does.
> IIRC 21030 reported the trojan on Friday as well.
> 
> On 11/1/15 10:25 AM, gedropi@xxxxxxxxxxx wrote:
> > ClamAV update process started at Sun Nov 01 05:58:39 2015
> > 
> > main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
> > builder: neo)
> > daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63,
> > builder: neo)
> > bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63,
> > builder: anvilleg)
> > 
> > Thanks for your response.
> > 
> > 
> > On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote:
> >> Which versions of the main, daily, and bytecode databases are you using?
> >> On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was
> >> present in some of the 32-bit Windows installers.
> >>
> >> If I run clamscan today with the following database versions on the same
> >> files the scans come up clean:
> >>
> >> ----
> >> Sun Nov  1 08:27:42 2015 -> ClamAV update process started at Sun Nov  1
> >> 08:27:42 2015
> >> Sun Nov  1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs:
> >> 2424225, f-level: 60, builder: neo)
> >> Sun Nov  1 08:27:43 2015 -> daily.cld is up to date (version: 21031,
> >> sigs: 1645560, f-level: 63, builder: neo)
> >> Sun Nov  1 08:27:43 2015 -> bytecode.cld is up to date (version: 269,
> >> sigs: 47, f-level: 63, builder: anvilleg)
> >> ----
> >>
> >>
> >> Note that AV false positives happen often enough that we maintain a list:
> >>
> >> https://wiki.wireshark.org/FalsePositives
> >>
> >> As does the NSIS team (which tends to impact the Wireshark and WinPcap
> >> installers):
> >>
> >> http://nsis.sourceforge.net/NSIS_False_Positives
> >>
> >>
> >> On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote:
> >>> Yes I am.  But these trojans were not present a on the 28th of October. 
> >>> Meaning that the database update since the 28th would have had to have
> >>> contained this misinformation. I have contacted ClamAV but they have not
> >>> responded yet.  SANS is involved in this issue as well.
> >>>
> >>> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:
> >>>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>:
> >>>>
> >>>>>
> >>>>> After discovering the attached trojans during a scan on the 30th, I
> >>>>> removed infected files, scrubbed the registry, repeated the scan. Nada.
> >>>>> Then, I needed to replace the networking tools by downloading fresh
> >>>>> copies of the removed, infected exe files.  Upon downloading various
> >>>>> tools from their respective websites, I repeated the virus scan to be
> >>>>> sure. All newly downloaded exe files were again infected with the same
> >>>>> trojans.
> >>>>>
> >>>>> Since all the Wireshark & WinPCap files were affected, I was wondering
> >>>>> if any of you out there have had the same experience?
> >>>>>
> >>>>> I hope that someone can help me brainstorm for a fix.  I need to use the
> >>>>> tools of the trade.
> >>>>>
> >>>>> Thanks for any ideas.
> >>>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> Are you using ClamAV by any chance? as reported by Gerald Comb
> >>>> (Wireshark's
> >>>> leader) on the development list (
> >>>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this
> >>>> seems to be a false positive reported to clamav.net.
> >>>>
> >>>> Best regards,
> >>>> Pascal.
> >>>> ___________________________________________________________________________
> >>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>> ___________________________________________________________________________
> >>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>>
> >>
> >> ___________________________________________________________________________
> >> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >> Archives:    https://www.wireshark.org/lists/wireshark-users
> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> > Archives:    https://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe