ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Infected files that only show up in ClamWin
JordonTD


Joined: 07 Sep 2022
Posts: 1
Reply with quote
According to ClamWin scan there are several RAT malware in recently installed programs from Keyscrambler, NirSoft Wireless Network Watcher, FRST64.exe and even Malwarebytes -- all of which were downloaded from their respective official websites. And yet the scans I ran before ClamWin, such as with ESET, MSERT, Windows Defender, Microsoft Security Essentials, Kapersky, Comodo, MrMed and yes even Malwarebytes, all of which found no threats.

Although before I ran CW for the first time, I knew that I was stuck with a RAT malware, but didn't know if if it was an injected code or a white listed version that Malwarebytes didn't pick up. I subsequently reinstalled my Win7 Ultimate 64bit using Minitool partition to delete all partitions before (I found after reinstallation that the deletion wasn't complete since Old Windows folder was installed. And before reinstallation, I reset my Dell Bios. I ran afterwards the above scanners then with CW, which again came up with the same RAT malware infections -- but they only showed up subsequently after restart once they were removed or quarantined before restart and this despite Minitool rebuilding MBR, that may have been modified by the RAT malware.

It may be counter intuitive, but I think CW is making the right call. Like GuitarBob, I'm not all that impressed with Malwarebytes or the other scanners -- who are totally useless in detecting a lightly modified version of Mimikatz for example! Feedback would be appreciated.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4904
Location: USA
Reply with quote
The Clam AV signatures used by ClamWin will sometimes give a false positive. One reason is that the Clam AV sigmakers often prepare generic signatures that are not specific to a certain malware--they may get a signature for the packer or for a file section or phrase that can be used by "good" files as well.

If you have ClamWin set to detect potentially unwanted files (PUAs) that are not real malware--just files that could be used by malware, you can also get a false positive. You can change this. I don't have ClamWin on this Linux Mint box, and don't remember how, but either through the command line or there may be a configuration option--I kind of think it is done via the command line. The default is not to detect PUAs, so if you haven't changed it, then PUAs will not be detected.

Most AVs do a better job of detecting malware now than ClamWin, which uses the Clam AV scan engine and virus signatures. Clam AV is owned by Cisco, and there is no one at Cisco working on Clam AV full-time--at least there was no one when I was quit sigmaking at Clam AV on behalf of ClamWin, and I understand it hasn't changed. Clam AV is free, just like ClamWin, and free AVs don't make any money.

Regards,
View user's profileSend private message
Infected files that only show up in ClamWin
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic