ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Unconfirmable red alerts when running Clamwin
rogerjan


Joined: 22 May 2011
Posts: 31
Location: Georgia, USA
Reply with quote
Today's scan produced a rash of red warnings, along with the usual false positives. Many are to do with files normally associated with AutoCad. Aside of getting me to sit up and take notice, along with an urgent need for both counseling and tranquilizers, is any of this stuff real, and how can I find out one way or the other?

Here are the red warnings:
C:\Documents and Settings\RnJ\My Documents\Downloads\windows-kb890830-v4.4.exe: Win.Trojan.Swrort-6145 FOUND

C:\Program Files\AutoCAD LT 2004\AcSignApply.exe: Win.Trojan.Krament-6 FOUND

C:\Program Files\Google\Google Desktop Search\temp\_PREV_GoogleDesktopAPI2.dll: Win.Trojan.Genome-1913 FOUND

C:\WINDOWS\system32\ACADFICN.DLL: Win.Trojan.Agent-141222 FOUND

C:\WINDOWS\system32\AcSignExt.dll: Win.Trojan.6622731 FOUND

C:\WINDOWS\system32\ADRESC.DLL: Win.Trojan.Agent-344458 FOUND

I have previously reported some of the false positives (as requested) but have never heard back, nor does it seem that anything has been done to eliminate the FPs, some of which - ACADFICN.DLL for example, pop up time after time.
The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:

C:\WINDOWS\$NtUninstallKB2229593$\helpsvc.exe: [Win.Trojan.6725827] FALSE POSITIVE FOUND

C:\WINDOWS\ServicePackFiles\i386\d3d8thk.dll: [Win.Trojan.Agent-351079] FALSE POSITIVE FOUND

C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe: [Win.Trojan.6725827] FALSE POSITIVE FOUND

C:\WINDOWS\system32\d3d8thk.dll: [Win.Trojan.Agent-351079] FALSE POSITIVE FOUND

C:\WINDOWS\system32\dllcache\d3d8thk.dll: [Win.Trojan.Agent-351079] FALSE POSITIVE FOUNDResearch on line for how to confirm a real problem exists (or not) is full of confusing and contradictory advice. The resident antivirus is Microsoft Security Essentials.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3527
Location: USA
Reply with quote
First, thank you for using ClamWin.

The Clam AV engine used by ClamWin (it's ported over free to Windows from the Clam Av project Linux source code) was primarily developed for Linux email servers, and false positives there don't cause any damage to an operating system--the attachments are not executed there and anyway most viruses are for Windows machines and will not run on Linux.

The ClamWin developers have allowed for false positives on important Windows files by refusing to quarantine them if they have a valid digital signature from Microsoft and giving the user a message at the end of ClamWin scan reports. Clam Av has not yet incorporated any such protection, however, so we still need to upload all false positives to them. Clam tells me they will have similar false positive protection in a future edition. Additionally, Clam AV is short of personnel and may not address false positives for a while. Once again, it is the squeaking wheel that gets greased, so keep sending in those false positives to them for eventual correction.

As to detections on other types of files, the surest way to verify them is to upload them to either the Jotti or Virus Total scanning services to see what AVs detect them besides Clam AV. If the file is a Windows PE file, I like to see at least 2 of these AVs verify a detection: Avira Antivir, Bit Defender, ESET Nod 32, Kaspersky, and Sophos. Most AVs do not do a good job of detecting new viruses if they are not in a Windows PE file, however, so if the file is not a Windows PE file--like an Office file, PDF file, HTML file, javascript file, java file, etc., I will use just 1 of these AVs to verify a detection.

If the file is a new file on your machine, there is a good chance the detection is not a false positive. If the file has been around for a while, and there have been no changes to it (look at the file date--but they can be "spoofed" by a virus sometimes), it is probably a false positive.

The easiest way to verify a file is to see what Microsoft Security Essentials (MSE) says about it. If it does not quarantine a file, it is probably clean. MSE has a very good false positive record. MSE does not do well on some AV tests, but don' you believe it--Microsoft is very big, it has lots of resources, it has very good malware telemetry, and it is more concerned with protecting its users that with doing well on tests!

Regards,
View user's profileSend private message
rogerjan


Joined: 22 May 2011
Posts: 31
Location: Georgia, USA
Reply with quote
Many thanks for an extremely on-point reply. One thing that seems rather obvious is the usefulness of knowing in which sub directory the creator of a file intends it to be. For example, several of the offending items are in the Sys32 directory. So, probably I should check to see if they are duplicated in, say, the AutoCad directories. However, if they are not, it's not an easy task to find out whether AutoDesk intended the files to be in Sys32. Clearly, if such a file isn't supposed to be where it is, deleting it is simple. Knowing that gem of information is very difficult.
No Autodesk files have been added on my PC recently, and because the ACad false positives have been previously reported, it seems possible that these new red alerts are similar. What isn't so obvious is why now? I will do a verification of each one, on several AVs, as you suggest. I assume that the correct procedure is to report the findings, if no consensus is achieved by the AV scans, as false. I do appreciate the efforts of the small number of experts who slave away at this herculean (and voluntary) task, it's just unfortunate that one small 'word' from Clamwin causes great anxiety for the paranoid user (that would be me ).
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 3527
Location: USA
Reply with quote
Yes, some dll files can be in several different folders on a computer. Most Windows trojan/worm malware will be found in the appdata and system32 folders, occasionally in the program folder or in its own C:\ folder.

Most malware is now heavily obfuscated to hinder/prevent analysis, and it is very hard for the AVs to unpack them to get a signature for the "bad" code. So the AVs rely heavily upon sectional file hashes and entry points for most of their signatures. Malware often uses the same packers and similar code as "good" files--including some of the Windows system files. So there can be some code, packers, and even entire file sections that are used by both malware and "good" applications. The AVs are swamped with the volume of malware received each day. Most Clam signatures are now automated. A human sigmaker can prepare file hash signatures for about 100 viruses in the time it would take to upack a file, analyze it, and then decide what is "bad" about it--if there was even time to do so.

AV emulation/sandboxing can help detect malware, but it takes lots of code, so it is limited, and some malware can tell when it is being analyzed and will not execute.

I would like to see some incorporation of AV "whitelisting" of the file hashes of at least some important files. Whitelisting is not popular, but it can prevent false positives and has some good possibilities.

Regards,
View user's profileSend private message
Unconfirmable red alerts when running Clamwin
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic