ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False Positives - Numerous
PayneLess Designs


Joined: 05 Mar 2007
Posts: 3
Location: Biloxi, MS
Reply with quote
Didn't see anything relevant in 2019 or 2020 so posting this. I understand about reporting False Positives (FPs). I have read the FAQs. I've read all that I could find and may have missed something that could have answered my question(s). I do scans periodically of my 1TB HD. A lot of false positives show up. From what I understand in reporting FPs, they must be reported by uploading the file generating the FP along with the AV Report.

I have so many FPs that doing the reports on a file by file basis seems the wrong way to do the reports. Do I have to do it this way? Can't I just send my scan report and let someone look at it and see what is relevant and what file or files should be reported? I'm sure many listed under "The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses" can be ignored but it would be nice to know for sure. Example of one entry:

c:\users\thesha~1\appdata\local\temp\clamav-295ebe627ec8cb106ca909d011725836.00000b74.clamtmp: [Win.Malware.Sivis-6757537-0] FALSE POSITIVE FOUND

There are over a dozen or so of identical entries all in same appdata folder. The rest of FPs are in different folders. Folders like "C:\Windows\System32\..." If I can ignore these and ClamWin doesn't do anything about not detecting these, can I list them somewhere before scanning to ignore? This is the scan summary for last scan:

----------- SCAN SUMMARY -----------
Known viruses: 6689420
Engine version: 0.99.4
Scanned directories: 111198
Scanned files: 1258281
Infected files: 56
Total errors: 96
Not copied: 6
Data scanned: 220301.73 MB
Data read: 278198.19 MB (ratio 0.79:1)
Time: 141423.126 sec (2357 m 3 s)

Thanks for any help.

Ron
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4570
Location: USA
Reply with quote
If the false positives are all for the same malware detection, you can just submit one file to Clam Av for a signature correction. You don't have to send all files that are detected--just one file for each differently named malware.

However...if you scan a file on Virus Total and there is only one AV engine detecting something, Virus Total is supposed to send a copy of the file to the AV company so they can correct it. So if you use Virus Total, you theoretically do not need to tell Clam Av about the false positive. For a lot of detections of the same malware, however, I would still send a copy of one of the files to Clam Av. Even if Virus Total does send a file to Clam AV, signature correction might take a while, and you might speed things up a bit by doing this.

If the file is detected by ClamWin's built-in warning of falsely detected system/Microsoft files (which are not quarantined thankfully), I would just scan it on Virus Total and let it go.

If you are interested in correcting false positives only on your own machines, let me know and I'll tell you how--you have to make your own signature. I have done this when Clam AV takes too long to correct something.

Now, I have a question, where are these false positives being detected on your machine(s)? Is there a chance you could exclude the folder(s) from ClamWin scans and not hurt your security? Most malware files (fileless malware excluded) will be found in these folders: system 32, systemWOW 64, and %appdata%. You might want to do this if you have another/real-time AV as primary and just use ClamWin as backup.

Regards,
View user's profileSend private message
FPs
PayneLess Designs


Joined: 05 Mar 2007
Posts: 3
Location: Biloxi, MS
Reply with quote
Wow! Thank you for the quick reply. I figured that I could send just one report if malware is all the same in some entries but I have many, many FPs in different folders that are different names from what I can see. It would be very time consuming to report each one separately which is why I wanted to know if there is a way to just copy/paste each one showing, not only the name of malware but the complete path to where it was found. If you think it would help, I can go through the recent report and just make one file with all the FPs' names for you to look at. I just don't want to have to find each file and upload it as there are too many. After all, ClamWin is scanning a one terabyte HD. I haven't even done a scan of my backup HD which is also one terabyte. I'm sure it will have even more as it is getting close to full.

It's possible I could exclude some folders/files as many are from trusted sources.

I like ClawWin but not sure I know how to use it properly. Couldn't find where I could set excluded folders or files, an easy way to open the quarantine list from the program (do see path to it (I think), etc.. I'm sure there may be something in Help file but normally I don't have to read how in other programs I use as they are all intuitive. Mostly want to look at files sent to quarantine and choose whether to restore or leave in quarantine.

ClamWin looks like it scans its own quarantine folder. Examples: C:\Users\All Users\.clamwin\quarantine\iaStor.sys.infected: Win.Trojan.Agent-7015400-0 FOUND | C:\Users\The Shadow\Downloads\ClamWinPortable\Data\quarantine\HP.msi.infected.000.infected.000: moved to 'C:\ProgramData\.clamwin\quarantine\HP.msi.infected.000.infected.000.infected'. This one is only one in Windows folder unless I missed others in the list: C:\Windows\unvise32.exe: Win.Trojan.Agent-1344767 FOUND


Not sure what Virus Total is. Will do a search and see what it is and how to do a scan. Really appreciate the help.

Ron
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4570
Location: USA
Reply with quote
Ron:

Virus Total is an online scanner (owned by Google now) where you can scan files for malware with about 60 scanners, including Clam Av, which is a free Linux email scanning engine. Clam AV provides the scan engine and virus signatures used by ClamWin. The ClamWin developers prepare a Windows port from Clam AV and add a graphical user interface to it to get ClamWin. Since almost everything comes from Clam AV, ClamWin users users need to send their false positive file detections (and undetected malware files ) to Clam AV.

The Clam AV site is at https://www.clamav.net/ on the web. Select the Contact page, and when you get there select either the False Positive or Undetected Malware items. The Virus Total site is at https://www.virustotal.com/gui/home/upload on the web.

You can access the ClamWin menu by right clicking on the ClamWin icon in the sytstem tray. You can exclude files from scanning by selecting Tools, Preferences, Filters, Exclude Matching Filenames on the left side of the page. Then select the box (new item) and insert the relevant information about the file or folder to be excluded from scanning by ClamWin. Here is what to put to select a folder: Drive:\Folder\Subfolder\*
Here is what to put to select a file: Drive\Folder\Subfolder\Filename.Extension. You can probably just put Filename.Extension if you don't want to put in the folder. Ignore a subfolder if there isn't one. Select OK when through. You can use the other side of the Filters page to develop a custom list of extensions for ClamWin to scan. You don't need to scan all extensions or all folders.

If you want to send a lot of false positive files to Clam AV that need signature corrections, put them in a Zipped file.

I think that ClamWin may not be around too much longer, so I hope that you are using a real-time antivirus/malware scanner as your primary line of defense and just keep ClamWin as a backup scanner. It takes too long to scan with ClamWin, and there are just not enough Clam AV signatures to provide good user protection. ClamWin is also not a real-time scanner (it scans on-demand as scheduled or manually), and you need real-time for good protection. The Windows Defender AV is a good, free real-time scanner and provides all the protection you need.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
PayneLess Designs


Joined: 05 Mar 2007
Posts: 3
Location: Biloxi, MS
Reply with quote
Thank you for all that good info. Copied/pasted to my Notes.

I do use Windows Defender in Win 10 which runs all the time PC is on. Micro$oft has improved it so doing a good job. I also use MalwareBytes in addition to ClamWin for on-demand scans. Gave up long ago on AVG and Avast which have now become garbage.

Again, thank you for the quick replies and good advice.

73,

Ron
View user's profileSend private message
False Positives - Numerous
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic