False Positive for NULL BYTE HASH

[v4ltonCybee]

False Positive for NULL BYTE HASH

The ClamAV signature database main.hsb

contains a signature using the MD5 hash d41d8cd98f00b204e9800998ecf8427e, which is the universally known hash of an empty file (0 bytes). This signature claims to detect a 2.3MB Android malware file, which is logically impossible since a 2,257,426 byte file cannot produce the same hash as a 0-byte file.

Signature in question:

d41d8cd98f00b204e9800998ecf8427e:2257426:Andr.Malware.Android_0294-3

This appears to be an erroneous signature that could potentially cause false positives on legitimate empty files, or more likely represents a corrupted/incorrect hash entry in the signature database.

How to reproduce the problem
Download the latest ClamAV signature database (main.cvd)
Unpack it using sigtool --unpack main.cvd
Search for the empty file hash in main.hsb:
bash

grep "d41d8cd98f00b204e9800998ecf8427e" main.hsb

Observe the signature line showing a 2.3MB file size with empty-file hash
Verification that this is the empty file hash:

bash
echo -n "" | md5sum

Output: d41d8cd98f00b204e9800998ecf8427e

Expected behavior: This signature should either be removed or corrected with the actual MD5 hash of the Android malware sample.

[val-ms]

I've forwarded your report to a group that works on the signature content. It's past end of day, but hopefully they can look at it tomorrow.