hi,

i am getting false positive reports for a couple of .dll files that virus total says are safe.

so i tried to submit them to the clamwin system as false positive. the report was rejected with this message...



so i updated the database and ran clamwin again but got the same result from the scanner and the false positive report system.

so far as i know there are no thrid-party virus databases on my machine.

i want to use the clamwin virus database

HOWEVER, a few times when i have downloaded files i have encountered some paid virus scanner that comes with the download such as macfee or something. which i removed using the vista control panel for removing programs.

please advise.

One possibliity:
Are you also using the Clam Sentinel program with ClamWin? If you are, then Clam Sentinel uses its own heuristic scanner to detect suspicious files that are not detected by ClamWin. Is your detection a "suspicious file" or an "infected file"? An infected file detection is a ClamWin detection, but a suspicious file detection is a Clam Sentinel detection. Clam AV can not process false positive detections that are Clam Sentinel suspicious files. You will have to exclude these files from Clam Sentinel via Advanced Settings, Paths Or Files Not Scanned.

Another possibility:
Do you have ClamWin configured to detect PUA (Potentially Unwanted Applications)? If so, then remove the configuration to detect PUA. PUA detection is broken--it does not detect real viruses--it only detects files that are heavily packed or that contain virus-like tools. You do not need to be bothered by PUA detections. A real virus will not be a PUA detection.

Regards,

hi,

i never installed clam sentinel. i searched for it on my system using the vista start-up menu search box and it was not found.

i have never set the option to detect PUA files. also, i cannot find the PUA option on the "Configure ClamWin" control panel.

it is possible this PUA option is set but i cannot find it to check.

Hi Oznola,

Could you please copy and paste the scan report where these DLLs are detected?

Regards,
Lipper

indeed i can...

Thank you. I too, have received numerous detections such as these from ClamWin in recent weeks. However, ClamAV has never 'rejected' them when I submit them as false positives. But then, they haven't corrected the false positives either.

I'm actually not sure what's going on, but it would appear that ClamWin is glitching in some way. One file that I'm having issue with is admparse.dll. When I scan the file at https://www.virustotal.com/file/08279d497f9fb22f82314b2ae537a1a9919597422504fd7fa285f1b18b84652e/analysis/ Virus Total, ClamAV does not detect it. When the same file is scanned at https://www.metascan-online.com/en/scanresult/file/41286aa68d524d5fb041a52cf2e5e7cd Metascan, ClamWin detects it as Win.Trojan.Agent-38481.

Be patient, it is New Year's Eve and help may be slow to arrive. Be calm, I'm confident we're not infected. And Happy New Year to you!

Regards,
Lipper

roger that,,,

Guys: I have noticed lots of Trojan false positive detections in the System 32 and Winsxs folders. I have reported them to Clam.

Clam is mostly preparing automated signatures now. The automated signatures might need a bit of "fine tuning," which I have mentioned to Clam.

Win.Trojan.Fakesmoke-21 was published 12-24-12. It is an MDB (main code section) signature that appears to be automated. Win.Trojan.Agent-52863 was published 12-22-12. It is also an MDB signature that appears to be automated. So they are both recently published, automated signatures. The MDB sigs are the ones that I think need some "fine tuning." It appears to me that if a malware file contains an installer, the automated MDB sigs will pick up the installer code and not the actual malware code. Anyone can use an installer--both malware authors and "good" authors.

I do not know why ClamWin would detect an infection that Clam AV does not detect--unless there is some divergence in the code. It may also be that, for some reason, the false positive submissions to Clam AV are not set up to use the new automated signatures. I will mention this to the Clam AV team.

Regards,



Regards,

The non Microsoft FPs have been corrected by ClamAV signature updates. winlogon.exe is detected by ClamAV so I have submitted it through the normal channel. admparse.dll above, and the two files listed below are not detected by ClamAV so cannot be submitted as FPs. Very strange.

d3d9.dll NOT DETECTED BY CLAMAV BUT DETECTED BY CLAMWIN
https://www.virustotal.com/file/f1abf07cc45f9c013b9f53e64820ecb12ac9b1e681b9a1703e30a0637e7d9bb6/analysis/
https://www.metascan-online.com/en/scanresult/file/df515187b717453fae89fec7df477e35

setup50.exe NOT DETECTED BY CLAMAV BUT DETECTED BY CLAMWIN
https://www.virustotal.com/file/3f2d885c2be50b1a1cf4d23204fc11141c8b74c749643e8281f9e65aefbb3c94/analysis/
https://www.metascan-online.com/en/scanresult/file/90964418ee7944ed886389768ca2e766

The latest scan of my system drive:



detected by ClamWin but not by ClamAV

Aavm4h.dll
https://www.virustotal.com/file/1c3637fbe46d25cc54c31a07ff59f5753de083e8b780980ccc52245fdb108fe9/analysis/
https://www.metascan-online.com/en/scanresult/file/3b32e0600e274a88bbad49fb0f48b391

setup50.exe
https://www.virustotal.com/file/3f2d885c2be50b1a1cf4d23204fc11141c8b74c749643e8281f9e65aefbb3c94/analysis/1357242339/
https://www.metascan-online.com/en/scanresult/file/faade2cb9c864b418d2b9cd947e404eb

kemNT-7.4.zip
https://www.virustotal.com/file/db216f8d1e4cca7ccbda34a16a4cb8d5c79397b5ccd5b9fbe266f7844f3d3b5a/analysis/
Metascan has cut me off due to 5 files in archive during a certain time period. I don't like to use Jotti for a ClamWin scan because they have PUA enabled.


detected by ClamWin and ClamAV - will submit as FPs as permitted.

AavmRpch.dll
aswCmnIS.dll
aswProperty.dll
aswWebRepIE.dll
aswFsBlk.sys
R218148.exe

I submitted some false positives in the System32 folder yesterday, and I will submit more from the Winsxs folder today. The Sourcefire people can not work on Clam all the time, but they told me they will correct the false positives as soon as possible. If Clam AV detects it, they will work it.

I don't know what to do about the false positives that are not detected by Clam. At present, make sure your ClamWin signature database is current and that you are using the current verson .97.6 of ClamWin. I'm glad the ClamWin developers instituted that false positive protection! I thought it was only on digitally-signed Microsoft files, but I saw some false positives on unsigned files.

Regards,

Hello, Bob. Thank you for the information.

I'm wondering if perhaps Clam has found some issue though, because the file d3d9.dll I reported yesterday is no longer detected by ClamWin, and remains undetected by ClamAV:

https://www.virustotal.com/file/f1abf07cc45f9c013b9f53e64820ecb12ac9b1e681b9a1703e30a0637e7d9bb6/analysis/1357255678/
https://www.metascan-online.com/en/scanresult/file/be7e47ce4b03491389ea9e5e4d784ba4

My only theory at this point is a possible incompatibility between the older, handmade definitions (or the cumulative database) and the new automated ones. To test my theory, I've deleted the contents of the db folder of a ClamWin Portable installation on a flash drive, and rebuilt the database via a manual update. I'm scanning my system drive now and will report any positive conclusions.

As ever,
Lipper

I found that file on my computer, got a hash and searched for it on the Clam AV submission. The file was given to Clam by Virus Total, but there was no detection on Virus Total by any AV, including Clam. ClamWin does not detect it on my computer. I suppose the false positive could have been fixed, but the submission I saw was not indicated as a false positive.

Alain Zidouemba at Sourcefire told me the false positives are not related to the automated signatures. I think he is right because we have had the automated sigs now since early December, and I have only seen this rash of false positives during the last week or so.

Usually when there is a detection by ClamWin and not by Clam AV, it is because a new version of Clam just came out with new functionality and ClamWin has not been upgraded yet. This can go either way--a file could be detected by one and not by the other. I do not think this is the case here--there has been no new version. There is a figure indicating functionality in the About ClamWin screen, by the main database number of signatures. It is currently set at 54. Now that I mention it, I may have seen some sigs recently that were something besides 54, and it would probably be set higher, never lower. I wonder if some of the Clam sigmakers could be making sigs with new functionality already--perhaps in anticipation of a new version. Or... perhaps some new code has already been incorporated at Clam. As I said, detection could go either way. There are several new sigmakers at Sourcefire that I noticed have done some sigs. There does seem to be some sort of pattern in the sigs--most of them seem to be Trojan.Agents.

In any case, ClamWin users are protected from a false quarantine, so let's see how it goes for a few more days. Let me know if you find anything.

I'm glad to see you posting again!

Regards,

Thanks again, Bob. Yes, I'll let you know if I find something.

As ever,
Lipper

I just did a scan of my C:\ drive without any false positives. I have been submitting several a day now for a while. It looks like the recent rash of falsies has been fixed.

Keep submitting those false positives and undetected viruses to Clam. They have also asked experienced users to prepare signatures and paste them in the comments section of the virus submission form. Clam will check the signatures and give the sugbmitters credit in the eail accompaning the signatures when published. Clam will worry about any false positives!

As you know, most of the Clam signatures are automated now--I hope it is a precursor to putting Clam AV (and maybe ClamWin) into the Cloud.

Regards,