ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Never gotten a virus in this folder, Afraid to delete etc
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND
C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND


Is this a false positive? Thanks everyone
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4253
Location: USA
Reply with quote
It very well could be a false positive. The Clam AV scan engine/signatures we use are designed primarily for Linux email servers, where false positives on Windows files are not even considered. I have only seen 1 virus in the WinSxS folder in the 5 years I was at Clam AV. What does your other antivirus program say about this file? You should be using a real-time virus along with ClamWin, using ClamWin for a backup scanner.

Best way to tell is to upload the file to Virus Total at https://www.virustotal.com/#/home/upload on the web and see what about 60 other AVs say about it. I like to see at least 2 of these AVs detect something before I believe it: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
Wow thanks so much. Here is what the upload said for the other sites: basically only clamwin calls it a virus.

[/img]
View user's profileSend private message
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
so if clamwin is the only one finding it, do I just ignore?
View user's profileSend private message
aggravated


Joined: 08 Oct 2017
Posts: 2
Reply with quote
I am quite sure they are false positives. I just had the same two files detected by Immunet, which uses Clam. You can't readily even upload these files to VirusTotal, since Windows does its best to deny access to them. There are ways around that, but I can't be bothered. I'm certain enough that they are FPs to take my chances.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4253
Location: USA
Reply with quote
If you have a false positive, you shouldn't ignore it. Since you scanned it on Virus Total and Clam AV was the only AV to detect it, Virus Total will tell Clam AV about it so they can correct their signature. Clam AV will eventually correct it (usually), but it will still be falsely detected on your computer. Here's what to do:

If the program was falsely quarantined by ClamWin, you need to restore it with the QRestore program in the ClamWin\bin directory. After restoring it, you need to exclude it from future scans by using Preferences, Filters, Exclude Matching filenames. Check the ClamWin Help file for information about restoring a file. Get back to us here if you need additional help restoring. You can occasionally check the file with Virus Total again to see when/if Clam AV has corrected their signature and delete the excluded file from ClamWin's Exclude Matching Filenames when it does.

Regards,
View user's profileSend private message
aggravated


Joined: 08 Oct 2017
Posts: 2
Reply with quote
I'm using Immunet, which uses (in part) ClamAV. I've submitted both files to Immunet and uploaded them each to VirusTotal as well:

https://www.virustotal.com/en/file/ffeec8af2fcb27b713837c744057a6e0304529b4ea80427df2bd2414b6bd6309/analysis/1507511907/
https://www.virustotal.com/en/file/de42506fa988cbfd7e8184b875eb54160cd8043f72af94d59c1857493812154b/analysis/1507511913/

As a workaround, I excluded the entire "C:\Windows\WinSxS\Temp" and "C:\Windows\WinSxS\FileMaps" folders from Immunet. Overkill, yes, but I'm not a fan of FPs.
View user's profileSend private message
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
Yep I uploaded and submitted directly to ClamWin for their False Positives.
View user's profileSend private message
Never gotten a virus in this folder, Afraid to delete etc
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic