Jump to content
toast

Endian Utm Appliance False Positive?

Recommended Posts

Just downloaded "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso This is a commercial Universal Threat Management (UTM) product.

Clamav reports the files as a threat. Detection Name "Generic.Qhost.6EE5224F

I'm curious about this as this is the first time I've downloaded the product. Endian is a company the builds and markets hardware and software UTM appliances, so I suspect a false positive but want to be sure.

Appreciate if someone could verify for me. The file size is 177MB, I have Clamav configured to upload threats to Immunet so maybe you have the file already.

If you want me to upload it again I will be more than happy to do so.

 

Thanks.

Share this post


Link to post
Share on other sites

this a better question, but depend where are you downloading this program. If you have downloaded to official website of company but Clamav and immunet detect as malware, this program can be FP.

If instead have you download this file to another source, could be a malware.

 

I don't have more material but I highly recommend seeing the program hash and compare it to your newly downloaded

Share this post


Link to post
Share on other sites

this a better question, but depend where are you downloading this program. If you have downloaded to official website of company but Clamav and immunet detect as malware, this program can be FP.

If instead have you download this file to another source, could be a malware.

 

I don't have more material but I highly recommend seeing the program hash and compare it to your newly downloaded

 

The program iso was downloaded from Endian's dl servers. Here are the Hashes:

 

File: ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso

CRC-32: 57d74254

MD4: bbd9ea7988c940da41abbfdc59cbab84

MD5: 200e25f51a9d2025666da760776d80db

SHA-1: a0f2856ab72709b199fbe56782032fbbe53094ca

Share this post


Link to post
Share on other sites

Just downloaded "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso This is a commercial Universal Threat Management (UTM) product.

Clamav reports the files as a threat. Detection Name "Generic.Qhost.6EE5224F

I'm curious about this as this is the first time I've downloaded the product. Endian is a company the builds and markets hardware and software UTM appliances, so I suspect a false positive but want to be sure.

Appreciate if someone could verify for me. The file size is 177MB, I have Clamav configured to upload threats to Immunet so maybe you have the file already.

If you want me to upload it again I will be more than happy to do so.

 

Thanks.

 

 

Hi Toast,

 

That is odd. Just to be sure, this was detected on ClamAV for Windows correct? If so, that sounds a little large to send the actual file to me to review. You can either post the SHA256 file hash here or I would suggest making 'exclusion' for the file. Is there a site I can download it from? Feel free to private message me if you like.

 

al

Share this post


Link to post
Share on other sites

Hi Toast,

 

That is odd. Just to be sure, this was detected on ClamAV for Windows correct? If so, that sounds a little large to send the actual file to me to review. You can either post the SHA256 file hash here or I would suggest making 'exclusion' for the file. Is there a site I can download it from? Feel free to private message me if you like.

 

al

 

Hi Al, Thank you for responding. I am using Clamav for windows. I'm going to say you know me personaly as we spoke on the phone recently about another issue. I'm RC.... I provided some hashes in the previous post. Do you really need the SHA256 or are the hashes I provided sufficient? If you would like I can email you a link you can download the file from. I will upload the file to my ftp server and send you the link from that. Let me know?

Share this post


Link to post
Share on other sites

Hi Al, Thank you for responding. I am using Clamav for windows. I'm going to say you know me personaly as we spoke on the phone recently about another issue. I'm RC.... I provided some hashes in the previous post. Do you really need the SHA256 or are the hashes I provided sufficient? If you would like I can email you a link you can download the file from. I will upload the file to my ftp server and send you the link from that. Let me know?

 

 

Hey RC. I do need the SHA256 because it's the primary crypto hash we use. Under linux your distro will likely have sha256sum on it. If not, I can grab the ISO as well.

 

al

Share this post


Link to post
Share on other sites

Hey RC. I do need the SHA256 because it's the primary crypto hash we use. Under linux your distro will likely have sha256sum on it. If not, I can grab the ISO as well.

 

al

 

SHA256 = 80f8ae062e7300db029068ded0ba98e48bce231825d7813f512754774eb4c7c0 "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso"

 

I am uploading the iso to my ftp server now, if and when you need it I'll email you with the link.

 

Question, is it possible that clamav is looking at the contents of the iso and it's the hash of the single thats being flaged, not the hash of the iso?

 

Rob

Share this post


Link to post
Share on other sites

SHA256 = 80f8ae062e7300db029068ded0ba98e48bce231825d7813f512754774eb4c7c0 "ENDIAN-FIREWALL-SOFTWARE-APPLIANCE-510-2_3.iso"

 

I am uploading the iso to my ftp server now, if and when you need it I'll email you with the link.

 

Question, is it possible that clamav is looking at the contents of the iso and it's the hash of the single thats being flaged, not the hash of the iso?

 

Rob

 

Hey Rob,

 

As I said in the email, it's a definitely an FP, generated by the Tetra engine. I have whitelisted the file now so after your cache clears it should be fine. I am not sure how the sig works that convicted it. I suspect it was a CRC based sig gone wrong but I am not totally sure.

 

al

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...