ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Too much false positives-TFC Temp File Cleaner
3dreal


Joined: 05 Aug 2019
Posts: 6
Reply with quote
I was very surprised about so much false positives when i had clam sentinel installed. yes i could set them to whitelist. But i remove clamsentinel altogether.
e.g. plugins of irfanview. False positives! Not good. UPDATE:CLAMWIN meant. thr only workinf AV for old SSE-winxp-PCS, Palemoon 27 special SSE used.

2. TFC Temp File Cleaner is one of most important quick scanners.
Pls set it on your whitelist.Thanks


Last edited by 3dreal on Wed Aug 07, 2019 1:42 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4549
Location: USA
Reply with quote
This is the ClamWin web site--not the Clam Sentinel web site. Development on Clam Sentinel stopped in 2014, and the Clam Sentinel web site has been unattended to since then. I suggest that you use Clam sentinel only as a real-time scanner for ClamWin by using the Sentinel Settings to Disable the Monitor System For New Malware. This will prevent Sentinel from using its heuristics and force it to only use the ClamWin virus signatures, which will not have many false positives. If you do have false positives after this, Clam AV can correct their false signature if you report it to them or scan the false positive file on Virus Total.

Regards,
View user's profileSend private message
3dreal


Joined: 05 Aug 2019
Posts: 6
Reply with quote
already done virustotal. what next if not here?
very interesting infos tks
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4549
Location: USA
Reply with quote
Clam AV provides the AV scanner (and virus signatures) used by ClamWin. ClamWin just provides a version of Clam AV (used on Linux computers) that can be used by Windows users. ClamWin does not have anyone to develop/correct virus signatures.

If an AV on Virus Total is the only AV detecting an infection, a copy of the related file will be sent to that AV, so Clam AV will get a copy of any file that generates a false positive detection. Just to make sure Clam AV will correct their signature, you might want to upload a copy of the file to Clam AV at https://www.clamav.net/reports/fp on the web.

Regards,
View user's profileSend private message
Done
3dreal


Joined: 05 Aug 2019
Posts: 6
Reply with quote
https://www.bleepingcomputer.com/forums/t/598316/temp-fles-cleaner-tfcexe-infected/
I reported incl. link.
View user's profileSend private message
No consequences TFC will be detected and deleted.
3dreal


Joined: 05 Aug 2019
Posts: 6
Reply with quote
They didnt put TFC Temp File Cleaner to the whitelist. It will still be deleted when set to do.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4549
Location: USA
Reply with quote
It seems that Clam Av doesn't correct all false positives. Possibly because they have to be done manually. Supposedly Virus Total will tell the Avs if they trigger a false positive on a submission to them, so you might try scanning the file on Virus Total.

If that doesn't work, you will have to whitelist the file in ClamWin/Clam Sentinel via Tools, Preferences, Filters, Exclude Matching File Names.

Below is how Clam Av handles a false positive (you can do this too):

Official Clam AV Signature To Ignore A False Positive

MD5hash:filesize:SID#_filenamenoextn

Get MD5 hash from a file hash program.
Other types of hashes can now be used--try SHA-1 or better.
Filesize is in bytes.
For Submission ID, use the date (example 030119). You can add 2 extra places for additonal items on the same date (03011901).
For the last item, use the filename without any extension of the program you are whitelisting.
Put this whitelist item in a Notepad file in the ClamWin data folder C:\ProgramData\.clamwin\db
Name the file FalsePositive.fp and do not save it as a text file--Select file type All Files to prevent the .txt or .text at the end of the filename. ClamWin is unable to recognize a text file as a signature.

Example:
8fb6c6e66968ccad84ade2df9fea3a9a:18330984:7728603_excel

Regards,
View user's profileSend private message
Dont have db-folder but bin and lib
3dreal


Joined: 05 Aug 2019
Posts: 6
Reply with quote
C:\ProgramData\.clamwin\db

in my german pc its:
C:\Programme\ClamWin\ and i only have bin and lib folders.

Where to put FalsePositive.fp with filename inside?
and what is meant with filename?

here filename is TFC.maybe your "filename" must be named differently. How about whitelist-name?
MD5hash:filesize:SID#_filenamenoextn
MD5hash:438000:091619#_TFC

and your example looking totally different:
8fb6c6e66968ccad84ade2df9fea3a9a:18330984:7728603_excel
maybe you listed your example at the wrong position inside your text. nothing to doi with FalsePositive.fp and its filename is really TFC.

Yes i already did the first step see above. if 030119 then its March 1st 2019 right? since here we have third of January 2019. Thanks
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4549
Location: USA
Reply with quote
The filename is the name of the file without the extension (filename with no extension). Example: excel.exe filename is excel--do not use an extension.

Put the FalsePositive.fp in the ClamWin\data folder with the ClamWin signatures. You can probably name it whatever you like as long as it has the .fp extension. Be sure to save it as All Files. Do not save it as a text file because ClamWin can not recognize signatures that are in a *.txt or *.text file.

My example was/is correct. You have the MD5 hash followed by the file size in bytes followed by the submission ID number (I normally use the date with 6 characters. You can use whatever you want but a date with 6 characters and no slashes seems best to me). Do not use the #--that just means use a number. Then there is the filename with no extension. I just put in some numbers for the SID in my example.

Be sure to use the colons (:) and underscores (_) where I have indicated because they are separators.

Regards,
View user's profileSend private message
3dreal


Joined: 05 Aug 2019
Posts: 6
Reply with quote
1, SID IS a Number so why confusing with #
2. Which data-folder of Clamwin? Clamwin-folder then Clamwin\..... putting file here.
Pls correct this:
C:\ProgramData\.clamwin\db whats db? and .?infront clamwin.

How about showin also an example for the first step.
For the last item is also confusing.
Second step then

Must now rectify first step by removing # in clamwin-program
and adding fp-file in clamwin-folder
Is this correct?
Thanks a lot
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4549
Location: USA
Reply with quote
1, SID IS a Number so why confusing with #

I think submission ID might be something besides a number, but Clam Av used a number when I worked for them, so I put the # to indicate a number.

2. Which data-folder of Clamwin? Clamwin-folder then Clamwin\..... putting file here. As far as I know there is only one data folder for ClamWin. The db subfolder under Program Data\ClamWin\ is for the signature database.

Pls correct this:
C:\ProgramData\.clamwin\db whats db? and .?infront clamwin. I don't understand, but see my answer above.

How about showin also an example for the first step.
For the last item is also confusing.
Second step then

I have shown you enough examples.

Must now rectify first step by removing # in clamwin-program
and adding fp-file in clamwin-folder
Is this correct?
Thanks a lot

The fp file goes in the ClamWin data folder with all the ClamWin signatures.

I think I have helped you enough on this. That's about all the help I can give. If you don't/can't understand, then just whitelist any false positives via the ClamWin Preferences, Tools menu.

Regards,
View user's profileSend private message
Too much false positives-TFC Temp File Cleaner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic