ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Possible false positve?
Halikar


Joined: 11 Dec 2006
Posts: 0
Reply with quote
I have a situation that my gut is telling me is a false positive, but it's strange enough that I'm hoping someone can comfirm it for me. I have 2 hard drives on my system, one with a rather well used version of Windows 2000 Professional, and an empty one. I have been trying to install a fresh version of Win2K Pro on the empty drive, however scans made by ClamWin from the cluttered drive find the pagefile.sys file on the new install infected with Java.Classloader.Dummy.C. I should note that they don't always occur right after install, but doing nothing but changing the boot from one drive to the other seems to cause the scan message. What is driving me crazy is if I install the OS on the new drive, install nothing but ClamWin, and scan the old dirve, I find nothing consistantly. Yet scanning the other way finds my annoying friend.

Does anyone have any thoughts? I'd appreciate it.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 0
Location: Italy
Reply with quote
pagefile.sys is the swap area for windows, you may had in memory the infected (or false positive) file so you will have them inside the swap file,
normally you cannot access the swap file but I suppose you are not running the target OS (i.e. offline check).
you can safely remove the pagefile.sys windows will reacreate one from scratch
View user's profileSend private message
Halikar


Joined: 11 Dec 2006
Posts: 0
Reply with quote
That's part of the problem. I can indeed delete it, but the fresh OS recreates it, and once recreated it is once again seen as infected. That implies that undetected code is infecting it, or that there is something in the pagefile.sys that is being seen as what it is not.
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 0
Reply with quote
Halikar wrote:
That's part of the problem. I can indeed delete it, but the fresh OS recreates it, and once recreated it is once again seen as infected. That implies that undetected code is infecting it, or that there is something in the pagefile.sys that is being seen as what it is not.


"Java.Classloader.Dummy.C" is a pretty crappy signature.

It essentially looks like this:
Code:
ceFile 01 00 0A Dummy.java 00 ! 00 00 01 00 03 00 00 00 01 00 01 00 05 00 06 00 00 00 01 00 01 00 07 00 08 00 01 00
Clamav is looking for text, then some bytes, then dummy.java, a null byte, an exclamation point, then bytes that are not ascii, the function of which I am not sure.

The question is, have you browsed any web sites before scanning? There are a lot of sites that still attempt to use defunct java exploits that target older broken microsoft JVMs.

This signature is not restricted to a particular offset, so if it is found anywhere in a file, it results in a detection.

Pagefile.sys is essentially a physical memory dumping grounds for windows that gets over-written as it is needed. If you visit a website that contains one of these now fairly useless exploit attempts, there's a decent chance that it could get swapped out to disk and clamav will find it.
View user's profileSend private message
Halikar


Joined: 11 Dec 2006
Posts: 0
Reply with quote
If that's all that's needed to "find" the trojan, then I feel better. It hasn't been consistant, but I've had positive detection from a pagefile.sys on a clean Win2K Pro install, boot to log in once, and nothing else. Since the sum total of my research on what "Java.Classloader.Dummy.C" is and how to remove it is a plethora of "Buy our software and you'll be fine" websites, it's left me wondering what the heck I've actually got going on. And in the case of ClamWin, I'd hate to stop using such a wonderful tool just because I'm confused and big business seems to want to enhance that confusion. Smile
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 0
Reply with quote
Halikar wrote:
If that's all that's needed to "find" the trojan, then I feel better. It hasn't been consistant, but I've had positive detection from a pagefile.sys on a clean Win2K Pro install, boot to log in once, and nothing else.

On a clean install... hmm that is pretty hard to explain. It could be just a crappy signature. I wouldn't worry about that one very much.
View user's profileSend private message
Possible false positve?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic