ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
FALSE POSITIVES
swerenfl


Joined: 16 Jan 2012
Posts: 4
Location: Schaumburg, IL
Reply with quote
Here there again,

Our ClamWin is sending us emails with the following files reported as viruses. Anyway to stop the alerts regarding these files, because they are clearly system files and are not trojans. Or is a future update going to negate these false positives?

C:\Windows\System32\services.exe: Trojan.Sirefef-411 FOUND
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe: Trojan.Sirefef-411 FOUND
C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c_services.exe_abfc33da: Trojan.Sirefef-411 FOUND
C:\Windows\winsxs\x86_microsoft-windows-a..ace-ldap-extensions_31bf3856ad364e35_6.0.6001.18000_none_2574a3912534384a\adsmsext.dll: Trojan.Patchload-31 FOUND
C:\Windows\winsxs\x86_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.0.6001.18000_none_5f327439667d597c\adsldpc.dll: Trojan.Patchload-25 FOUND
C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18000_none_2fee07bcc5a8367d\aaclient.dll: Trojan.Patchload-28 FOUND
C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18266_none_2fb32dbcc5d3707b\aaclient.dll: Trojan.Patchload-28 FOUND
C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18564_none_2fb132dac5d53542\aaclient.dll: Trojan.Patchload-28 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
An update will usually not correrct any false positives. A virus signature triggers a false positive, and either the signature must be corrrected or the false positive file must be "whitelisted" in the Clam signature database.

You can report false positives to Clam AV so they can correct them at http://www.clamav.net/lang/en/sendvirus/ on the web. Give them a few days to correct. Until then, you can exclude the file(s) from ClamWin scans via Configure, Filters, Exclude Matching Filenames.

If you are using Clam Sentinel and get a false positive on a "suspicious file," you will have to whitelist the file in Clam Sentinel's Paths or Files Not Scanned, since this is an internal Clam Sentinel detection and not a Clam AV detection.

Regards,
View user's profileSend private message
tony-jennings


Joined: 19 Nov 2010
Posts: 3
Location: Cambridge, England
Reply with quote
Hi,

C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18266_none_2fb32dbcc5d3707b\aaclient.dll: Trojan.Patchload-28 FOUND
C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18266_none_2fb32dbcc5d3707b\aaclient.dll: Removed.
C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18564_none_2fb132dac5d53542\aaclient.dll: Trojan.Patchload-28 FOUND
C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18564_none_2fb132dac5d53542\aaclient.dll: Removed.


On two of our separately located servers, I too have started receiving warnings for these DLL'sin the windows\winsxs folder, also in services.exe which is a major system runtime service!
C:\Windows\System32\services.exe: Trojan.Sirefef-411 FOUND

These started at the beginning of the week, although services.exe seems to not be reported now.

When I get alerts from multiple servers, this usually points to a false positive, but on this occasion, I'm not seeing it on all my servers, so I'm still suspicious of this being real.

How do we know they are false just because they are occurring in system files - surely system files are vulnerable too swerenfl?

I am running with remove mode, but even though it says it has removed, it doesn't.
Thanks.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
A scan on Jotti or Virus Total will probably tell you if a false positive is involved. If so, report it to Clam AV at their web site via the Submit A File link so they can correct their signature. I had never had the luxury of Windows repacing its important system files when I have false positives! If the file(s) had a valid digital sig from Microsoft, you would just get a false positive message from ClamWin.

I don't see much malware in the WinSX folder.

When in doubt, for verification, I look to 5 AVs on Jotti or Virus Total: AntiVir, Bitdefender, Kaspersky, Nod32, and Sophos. They all have good heuristics, and they keep up their signature database. If a couple of them see an infection, I usually believe it. The date first seen on Virus Total is usually helpful--if a virus has been around for a while, there should be plenty of AVs detecting it. It the file is new, there may not be very many for a few days.

By the way, this topic probably belongs in the "Virus Scanner" section--not "Virus Database Updates."

Regards,
View user's profileSend private message
FALSE POSITIVES
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic