toast Posted August 26, 2010 Report Share Posted August 26, 2010 Just downloaded "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso This is a commercial Universal Threat Management (UTM) product. Clamav reports the files as a threat. Detection Name "Generic.Qhost.6EE5224F I'm curious about this as this is the first time I've downloaded the product. Endian is a company the builds and markets hardware and software UTM appliances, so I suspect a false positive but want to be sure. Appreciate if someone could verify for me. The file size is 177MB, I have Clamav configured to upload threats to Immunet so maybe you have the file already. If you want me to upload it again I will be more than happy to do so. Thanks. Link to comment Share on other sites More sharing options...
etms51 Posted August 26, 2010 Report Share Posted August 26, 2010 this a better question, but depend where are you downloading this program. If you have downloaded to official website of company but Clamav and immunet detect as malware, this program can be FP. If instead have you download this file to another source, could be a malware. I don't have more material but I highly recommend seeing the program hash and compare it to your newly downloaded Link to comment Share on other sites More sharing options...
toast Posted August 26, 2010 Author Report Share Posted August 26, 2010 this a better question, but depend where are you downloading this program. If you have downloaded to official website of company but Clamav and immunet detect as malware, this program can be FP. If instead have you download this file to another source, could be a malware. I don't have more material but I highly recommend seeing the program hash and compare it to your newly downloaded The program iso was downloaded from Endian's dl servers. Here are the Hashes: File: ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso CRC-32: 57d74254 MD4: bbd9ea7988c940da41abbfdc59cbab84 MD5: 200e25f51a9d2025666da760776d80db SHA-1: a0f2856ab72709b199fbe56782032fbbe53094ca Link to comment Share on other sites More sharing options...
alfred Posted August 26, 2010 Report Share Posted August 26, 2010 Just downloaded "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso This is a commercial Universal Threat Management (UTM) product. Clamav reports the files as a threat. Detection Name "Generic.Qhost.6EE5224F I'm curious about this as this is the first time I've downloaded the product. Endian is a company the builds and markets hardware and software UTM appliances, so I suspect a false positive but want to be sure. Appreciate if someone could verify for me. The file size is 177MB, I have Clamav configured to upload threats to Immunet so maybe you have the file already. If you want me to upload it again I will be more than happy to do so. Thanks. Hi Toast, That is odd. Just to be sure, this was detected on ClamAV for Windows correct? If so, that sounds a little large to send the actual file to me to review. You can either post the SHA256 file hash here or I would suggest making 'exclusion' for the file. Is there a site I can download it from? Feel free to private message me if you like. al Link to comment Share on other sites More sharing options...
toast Posted August 26, 2010 Author Report Share Posted August 26, 2010 Hi Toast, That is odd. Just to be sure, this was detected on ClamAV for Windows correct? If so, that sounds a little large to send the actual file to me to review. You can either post the SHA256 file hash here or I would suggest making 'exclusion' for the file. Is there a site I can download it from? Feel free to private message me if you like. al Hi Al, Thank you for responding. I am using Clamav for windows. I'm going to say you know me personaly as we spoke on the phone recently about another issue. I'm RC.... I provided some hashes in the previous post. Do you really need the SHA256 or are the hashes I provided sufficient? If you would like I can email you a link you can download the file from. I will upload the file to my ftp server and send you the link from that. Let me know? Link to comment Share on other sites More sharing options...
alfred Posted August 26, 2010 Report Share Posted August 26, 2010 Hi Al, Thank you for responding. I am using Clamav for windows. I'm going to say you know me personaly as we spoke on the phone recently about another issue. I'm RC.... I provided some hashes in the previous post. Do you really need the SHA256 or are the hashes I provided sufficient? If you would like I can email you a link you can download the file from. I will upload the file to my ftp server and send you the link from that. Let me know? Hey RC. I do need the SHA256 because it's the primary crypto hash we use. Under linux your distro will likely have sha256sum on it. If not, I can grab the ISO as well. al Link to comment Share on other sites More sharing options...
toast Posted August 26, 2010 Author Report Share Posted August 26, 2010 Hey RC. I do need the SHA256 because it's the primary crypto hash we use. Under linux your distro will likely have sha256sum on it. If not, I can grab the ISO as well. al SHA256 = 80f8ae062e7300db029068ded0ba98e48bce231825d7813f512754774eb4c7c0 "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso" I am uploading the iso to my ftp server now, if and when you need it I'll email you with the link. Question, is it possible that clamav is looking at the contents of the iso and it's the hash of the single thats being flaged, not the hash of the iso? Rob Link to comment Share on other sites More sharing options...
alfred Posted August 26, 2010 Report Share Posted August 26, 2010 SHA256 = 80f8ae062e7300db029068ded0ba98e48bce231825d7813f512754774eb4c7c0 "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso" I am uploading the iso to my ftp server now, if and when you need it I'll email you with the link. Question, is it possible that clamav is looking at the contents of the iso and it's the hash of the single thats being flaged, not the hash of the iso? Rob Hey Rob, As I said in the email, it's a definitely an FP, generated by the Tetra engine. I have whitelisted the file now so after your cache clears it should be fine. I am not sure how the sig works that convicted it. I suspect it was a CRC based sig gone wrong but I am not totally sure. al Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.