Recently, Clamwin detected 2 files on my company PCs as Trojan.FalseAlert-632.
One is live update installer from Norton and the other is the free AVG 7.5 installer
The files too big, so virusscan.org and virustotal will not accept the files for checking.

Are they false positive ?
or
Norton and AVG are distributing Trojan False alert to make their product look good ?


Scan Started Mon Sep 08 12:30:00 2008
-------------------------------------------------------------------------------
*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***

*** Scanned 35 processes - 357 modules ***
*** Computer Memory Scan Completed ***
D:\share\anti-malware\avg\avg75free_518a1275.exe: Trojan.FakeAlert-632 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 413528
Engine version: 0.93.1
Scanned directories: 6266
Scanned files: 5830
Infected files: 1
Data scanned: 6350.73 MB
Time: 1751.625 sec (29 m 11 s)


Scan Started Sun Sep 07 17:39:55 2008
-------------------------------------------------------------------------------
C:\IBMTOOLS\APPS\NORTONAV\SUPPORT\LUPDATE\LUSETUP.EXE: Trojan.FakeAlert-632 FOUND
C:\IBMTOOLS\APPS\NORTONAV\SUPPORT\LUPDATE\LUSETUP.EXE: moved/scheduled to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.LUSETUP.EXE'
----------- SCAN SUMMARY -----------
Known viruses: 413481
Engine version: 0.93.1
Scanned directories: 6981
Scanned files: 9264
Infected files: 1
Data scanned: 3499.48 MB
Time: 2511.750 sec (41 m 51 s)

Hello,
If the files have been dowloaded from official/legitimate sites it is very likely that Clam has detected false positives.
As far as I know AVG 7.5 free is not supported anymore has this has been replaced by 8.0 version; if the file is legitimate it is better to eliminate it and replace it with new 8.0.
Files too big for Virustotal upload: an online scan is worth a try to check if other AV's spot the files as malware (for periodic scan I personally rely on http://housecall.trendmicro.com/ , but on the Anti Maware resources page of ClamWin's site you fill find other options to choose, all free to use. Have a try with 2/3 of them to check if they all give same results).
In alternative, http://www.drweb-online.com/en/virustest.html can scan files larger than 10MB (which is the max. size for Virustotal).

If final result is likely to be a false positive please notify Clam Team using the form @ http://cgi.clamav.net/sendvirus.cgi to enable them to fix the issue rapidly.
Hope this helps,
Antonio

Thanks for the info.

The PCs belong to my co-workers. One of them is still using AVG 7.5 because version 8 slow down his PC.
The other one use Norton 2005.

I have ask them to switch to other virus scanners to do another scan.

Hi, i had a similar result scanning a win2003 server (clamwin Engine version: 0.93.1).
ClamAV found 2 files infected with Trojan.FakeAlert-632 (i think Trojan.FalseAlert-632. is a typing error). The first one was AVG 7.5 installer, the second a pc anywhere .msi file.

Yesterday I tested 4 avg installer on my fedora 8 linux box, clamav engine version: 0.92.1 virus database 09.09 updated

1) avg70f_323a539.exe, old commercial avg 7 setup file, Trojan.FakeAlert-632 found
2) avg_free_stf_en_8_100a1295.exe, free avg 8 setup file, Trojan.FakeAlert-632 FOUND
3) avg_free_stf_all_8_100a1295.exe, free avg 8 setup file, Trojan.FakeAlert-632 FOUND

4) avg_free_stf_eu_8_169a1359.exe, free avg 8 yesterday downloaded setup file, NO virus found

Then I tried with online scanner but uploding the second .msi file only 8MB instead of AVG

1) http://www.drweb-online.com/en/virustest.html NO virus found
2) http://virusscan.jotti.org NO virus found ClamAV scanning too!!!!!!
3) http://www.virustotal.com ClamAV 0.93.1 2008.09.09 Trojan.FakeAlert-632 found, others antivirus NO virus found

I found an other post on this forum about the same probably false positive
http://forums.clamwin.com/viewtopic.php?t=1947

I don't know if my experience about Trojan.FakeAlert-632 can be useful, thanks to clamav/clamwin team for this great sw

I have use another anti-virus to scan the 2 files but it cannot detect anything.
So I believe it is false positive so I have report it.

Clamwin anti-virus ( especially Clamwin portable ) have help to save many PCs in my company from reformating.
It have remove many viruses that even Symantec anti-virus cannot detect. I even use Clamwin to quarantine the viruses and submit the samples to the red face Symantec sales representive.

I appreciate the work done by the development team. However, the large number of false positive are hurting the credibility of Clamwin as a good anti-virus program. I hope the development team would test out the virus samples using different scanners to minimise the cases of false positive.

I also hope that the Clamwin development team would learn from others mistakes. Symantec anti-virus mistake 2 windows system files as virus and delete them. This cause millions of PCs in China to get BSOD. History would repeat itself if we never learn from other people mistakes.

All antivirus programs get false positives. Yesterday Trend Micro had a BIG problem with a false positive (FP), for instance.

With that said, however, Clam probably gets a little more FPs than the average antivirus. The process of making signatures is pretty labor intensive for them and isn't as automated as some other antiviruses. They run all signatures through a false positive "farm" that checks them against samples of "good" programs before they are published, but they need a larger sample of good programs. The quality of signatures will be better, starting with Version 0.94, so I think the FPs will improve.

In the meantime, ClamWin users need to continue submitting all false positives they find to the Clam team. That's how we can all help.

Regards,

Hello All,

Just scanned the AVG 8 free installer I had on my USB drive; this was downloaded about 2 months ago from official site. Actually ClamWin spots it as infected (see below).
G:\Sicurezza internet\Antivirus\avg_free_stf_en_8_100a1295.exe: Trojan.FakeAlert-632 FOUND

Will report it to Clam as false positive. I guess they have missed something in sigs database.

Regards,
Antonio

Update 21/09/08: Issue been fixed. Scanned again same file and came out clean. FYI.