|
Jef_uk
| Joined: 01 Oct 2015 |
| Posts: 0 |
| Location: UK |
|
|
 Posted: Thu Oct 01, 2015 7:26 am |
|
 |
 |
|
|
I cannot find it any ware and the UTM tripped when I downloaded this
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile - 09/29/15-08:43:06
Thanks[/img]
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Thu Oct 01, 2015 2:40 pm |
|
|
|
|
|
ClamAV/ClamWin should be able to support any MD5 and SHA hashes, as far as I know.
I am not sure what you are trying to ask, though, there is only 1 type of MD5 hash.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Thu Oct 01, 2015 4:17 pm |
|
|
|
|
|
If you want the md5 hash of clamwin, scan the file (exe or whatever) on Virus Total and look at the detail.
As far as I know--based on information from 3 years ago, Clam AV (and therefore ClamWin) used the MD5 official hash although there was some support for SHA. I could get ClamWijn to detect a SHA signature hash but Clam's submission interface could not process the SHA signature. SHA is standard for most AVs, so Clam should support it by now. For me, MD5 is still okay the way Clam AV uses it--they pair the MD5 with file size, which is pretty secure.
Regards,
|
|
|
|
Jef_uk
| Joined: 01 Oct 2015 |
| Posts: 0 |
| Location: UK |
|
|
| Posted: Thu Oct 01, 2015 7:59 pm |
|
|
|
|
|
Sorry I meant what is the check-sum so I can verify the download has not been tampered with?
As in its normally on the website somewhere please can some one tell me where as I could not locate it.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Thu Oct 01, 2015 11:16 pm |
|
|
|
|
|
I don't recall ClamWin ever ousing a checksum. I suggest that you upload the install file to Virus Total and verify it that way.
Regards,
|
|
|
|
Jef_uk
| Joined: 01 Oct 2015 |
| Posts: 0 |
| Location: UK |
|
|
| Posted: Fri Oct 02, 2015 6:56 am |
|
|
|
|
|
Time to upload = (Size_of_file_in_MB*8_bits) / average_upload_Sync-Speed_in_Mega-bits-per-Second
It will only take an hour & 10 minutes if nothing goes wrong....
I don't understand why check-sums are not posted for every new build.
Debian do it for whole DVDs.
https://cdimage.debian.org/debian-cd/8.2.0/amd64/bt-dvd/SHA512SUMS
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Fri Oct 02, 2015 3:19 pm |
|
|
|
|
|
You can't do it then. As for why no MD5 for ClamWin, I don't know. It is basically a massaged version of the Clam AV code. It only goes through the hands of the 2 developers, and is then beta tested for a couple of weeks--any significant problem would probably be found.
I guess you could send each executable as installed to Virus Total.
Regards,
|
|
|
|
Jef_uk
| Joined: 01 Oct 2015 |
| Posts: 0 |
| Location: UK |
|
|
| Posted: Sat Oct 03, 2015 8:10 pm |
|
|
|
|
|
OK I'm going to assume that snort has detected a virus has been in been added in the setup file; and it is not a false positive; for the current version.
I strongly recommend no one uses it!
snort is tripping on 5.10.152.194
5.10.152.194 ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile - 10/03/15-22:06:07
It's sig 1:2009080 which is a candidate for false positive so I guess I now have to put it on a honey pot and find out what is packaged with it.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sat Oct 03, 2015 10:30 pm |
|
|
|
|
|
Source Forge has gone a bit more commercial the last couple of years. Perhaps they've allied with adware or another PUP.
Regards,
|
|
|
