ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False Positive Warn Durijg ekmory Scan But Not lRegular Scan
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
For file DNSAPI.DLL I get a False Positive warning during a memory scan but not during a scan of the System32 folder where it is located. Does anyone else experience this? There may be a couple of other files like this as well.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
I am not getting this issue during memory scan or if I scan the system32 folder. I think these false positives are coming from the YARA and Snort rules that are being added to .99 and they are producing so many false positives because they are not compatible with versions under .99. I suspect ClamAV will end up dropping everything under .98, then will drop .98 after 1.0 comes out because of this.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Neither I nor Virus Total (no Clam FP there) are using v.99 at the moment however, so I don't think this is the cause of the problem. I think it's the ClamWin mem scan, which gives a different treatment than the regular clamscan.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
What I meant was, the reason why these false positives rules are happening is because you are not using .99, which is where the YARA and Snort rules are being added to. The YARA and Snort rules may not be compatible with versions under .99 (like .98.7, .98.6, .98.5, etc) Unless these rules are not added as signature files, then this would be why were are getting false positives.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4363
Location: USA
Reply with quote
Could be, RRK. I recall that one time ClamWin gave so many FPs after a new version of Clam before the ClamWin developers could incorporate the new version that Clam AV came up with some special sigs to prevent the FPs. Wish we still had that kind of relationship.

Regards,
View user's profileSend private message
False Positive Warn Durijg ekmory Scan But Not lRegular Scan
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic