ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
How to Attach raw message containing virus?
Mike25k


Joined: 06 Feb 2006
Posts: 2
Reply with quote
How do you attach raw message containg virus? My scanlog shows what I think are two false positives, but I don't know how to attach or what file to send.

Thanks in advance

Mike
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
scan those at http://virustotal.com and see what other av programs detect
View user's profileSend private message
Mike25k


Joined: 06 Feb 2006
Posts: 2
Reply with quote
http://upload2.postimage.org/120257/photo_hosting.html
http://upload2.postimage.org/120414/photo_hosting.html

Here are the results from http://virustotal.com/ .

As you can see ClamAV and Panda are the only scan that are positive, so I assume these are false positives.

Mike
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Quote:
As you can see ClamAV and Panda are the only scan that are positive, so I assume these are false positives.

yes it is very lilkely. You may submit those here:
http://www.clamav.net/sendvirus.html
View user's profileSend private message
hornet777


Joined: 12 Apr 2006
Posts: 8
Reply with quote
jeez, I've just spent 100 minutes tracking down what to do with a possible false-positive detected by ClamWin, only to be frustrated....

First I searched this forum to find out the procedure (fine), next scanned the suspect with two online scanners (its actually http://www.virustotal.com/en/indexx.html for VirusTotal) and Jotti, gathered the results and prepared to send it off to ClamAv, only to get through the upload and then receive an error message:

Quote:
Result:

We cannot accept file larger than 1048576 bytes. Sorry.

Please correct the above errors and retry. Thank you for helping the ClamAV project.


So, I'm still not sure if this is a false- or true-positive, and probably never will. Would have been nice for them to indicate this before I wasted all that time.

In any case, here are the results of the two online scans, FWIW:

Jotti scan:
Quote:
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: ffdshow-svn2526-20060424.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 ad1991cf45429aabc3cd4c200cbdc0d6
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.Downloader.Zlob-305
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


VirusTotal scan:
Quote:
STATUS: FINISHED
Complete scanning result of "ffdshow-svn2526-20060424.exe", received in VirusTotal at 05.07.2006, 17:51:40 (CET).

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.06.2006 no virus found
BitDefender 7.2 05.07.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 no virus found
ClamAV devel-20060426 05.07.2006 Trojan.Downloader.Zlob-305
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.1 05.06.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortinet 2.71.0.0 05.07.2006 suspicious
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 Trojan-Downloader.Win32.Zlob.IG
Kaspersky 4.0.2.24 05.07.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.07.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 Suspicious file
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.139 05.05.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.06.2006 no virus found


Aditional Information
File size: 2741849 bytes
MD5: ad1991cf45429aabc3cd4c200cbdc0d6
SHA1: 663bb25173118c5794d33663459933d00db6a004

<sigh>
View user's profileSend private message
budtse


Joined: 14 Jan 2006
Posts: 372
Location: Belgium
Reply with quote
You're right, the FAQ should indicate the upload file size limit.

I've added it to the TODO for the website (don't have access to the website itsself currently, at least not the international one).

By the way, is this file something you downloaded somewhere ? Maybe you can add the link here, so people can download and check for themselves.

budtse
View user's profileSend private message
hornet777


Joined: 12 Apr 2006
Posts: 8
Reply with quote
Thanks for addressing the file upload size issue.

Additional info: I unpacked the file, which was compressed with UPX, and it no longer scanned positive, FWIW.

Its an installer for the open-source ffmpeg package, posted at doom9 forums I believe. At least in principle, one could do a search there and find it. I'm sure its a false positive, although I haven't actually installed it yet.
View user's profileSend private message
How to Attach raw message containing virus?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic