Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Sun, 1 Nov 2015 10:14:11 -0800
Which versions of the main, daily, and bytecode databases are you using? On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was present in some of the 32-bit Windows installers.

If I run clamscan today with the following database versions on the same files the scans come up clean:

----
Sun Nov  1 08:27:42 2015 -> ClamAV update process started at Sun Nov  1 08:27:42 2015
Sun Nov  1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Sun Nov  1 08:27:43 2015 -> daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63, builder: neo)
Sun Nov  1 08:27:43 2015 -> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63, builder: anvilleg)
----


Note that AV false positives happen often enough that we maintain a list:

https://wiki.wireshark.org/FalsePositives

As does the NSIS team (which tends to impact the Wireshark and WinPcap installers):

http://nsis.sourceforge.net/NSIS_False_Positives


On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote:
> Yes I am.  But these trojans were not present a on the 28th of October. 
> Meaning that the database update since the 28th would have had to have
> contained this misinformation. I have contacted ClamAV but they have not
> responded yet.  SANS is involved in this issue as well.
> 
> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:
>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>:
>>
>>>
>>> After discovering the attached trojans during a scan on the 30th, I
>>> removed infected files, scrubbed the registry, repeated the scan. Nada.
>>> Then, I needed to replace the networking tools by downloading fresh
>>> copies of the removed, infected exe files.  Upon downloading various
>>> tools from their respective websites, I repeated the virus scan to be
>>> sure. All newly downloaded exe files were again infected with the same
>>> trojans.
>>>
>>> Since all the Wireshark & WinPCap files were affected, I was wondering
>>> if any of you out there have had the same experience?
>>>
>>> I hope that someone can help me brainstorm for a fix.  I need to use the
>>> tools of the trade.
>>>
>>> Thanks for any ideas.
>>>
>>
>> Hi,
>>
>> Are you using ClamAV by any chance? as reported by Gerald Comb
>> (Wireshark's
>> leader) on the development list (
>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this
>> seems to be a false positive reported to clamav.net.
>>
>> Best regards,
>> Pascal.
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>