ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False +ve says not detected by ClamAV, VirusTotal says it is
typojinx


Joined: 22 Jan 2013
Posts: 2
Location: Manchester, UK
Reply with quote
Came across an issue on an XP system at the end of a scan after first install of ClamWin.
Clam Sentinel is not installed.
ClamWin had been updated prior to running the scan.

Scan report is as follows;
Scan Started Tue Jan 22 12:57:41 2013
-------------------------------------------------------------------------------
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\autorun.inf: Permission denied
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\mediainfo.xml: Permission denied
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\microsoft.vc80.crt.manifest: Permission denied
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\msvcr80.dll: Permission denied
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\setup.exe: Permission denied
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\setup.exe.config: Permission denied
WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\sqmapi.dll: Permission denied
WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\master.mdf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\mastlog.ldf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\model.mdf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\modellog.ldf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\MSDBData.mdf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\MSDBLog.ldf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\tempdb.mdf: Permission denied
WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\templog.ldf: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied
----------- SCAN SUMMARY -----------
Known viruses: 1637199
Engine version: 0.97.6
Scanned directories: 7798
Scanned files: 46997
Infected files: 0

Data scanned: 14162.28 MB
Data read: 13311.75 MB (ratio 1.06:1)
Time: 5094.329 sec (84 m 54 s)

The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:

C:\WINDOWS\system32\dllcache\sol.exe: [Win.Trojan.Swrort-1867] FALSE POSITIVE FOUND

Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at http://www.clamav.net/sendvirus/

--------------------------------------
Completed
--------------------------------------

A check on Virustotal.com comes back as only ClamAV will detect the uploaded sol.exe as a false positive with the exact description.
See https://www.virustotal.com/file/a6fc95a5b288593c9559bd177ec43bf9b30d8a98cf19e82bf5a1ba5600857f04/analysis/ or search for a6fc95a5b288593c9559bd177ec43bf9b30d8a98cf19e82bf5a1ba5600857f04 on virustotal.com if the link has expired.

So, I submitted a false positive report, uploading the exact file and got the following message back:
"Result:

This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures.

Please correct the above errors and retry. Thank you for helping the ClamAV project."

I have since manually updated ClamWin with the latest daily.cld and rescanned sol.exe, but got the same result.

Is this just an FP report site glitch or is something else going on?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
Okay. Perhaps the Virus Total copy of Clam AV did not have the latest update, so give it another couple of hours and then do a rescan. Also resubmit to Clam AV--perhaps the signature is very recent, and the Clam user submission interface was not synchronized. If it is still not detected by anything else on Virus Total, is detected by ClamWin but not detected by the Clam submission, get back here.

Regards,
View user's profileSend private message
typojinx


Joined: 22 Jan 2013
Posts: 2
Location: Manchester, UK
Reply with quote
I've checked Virus Total again with the same file that was originally uploaded and it's coming back clean.

Thanks for your help!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4335
Location: USA
Reply with quote
So it was all because of timing, eh? Most of the Clam signatures are now automated, and there will be a certain amount of false postives because of that--every signature is done the same way regardless of the specifics of a file. Thankfully, ClamWin has some protection against quarantine of important system files. Keep on reporting all false positives though.

Regards,
View user's profileSend private message
False +ve says not detected by ClamAV, VirusTotal says it is
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic