ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False positive in ClamWin
Cousin Hub


Joined: 22 Apr 2007
Posts: 4
Location: France
Reply with quote
Hi,
I had a false positive in ClamWin which was confirmed by a test on www.virustotal.com.
I reported it to ClamAv which sent me the following information in http://cvdpedia.clamav.net/daily/3065
Submission-ID: 995119
Sender: Hubert Gailly
Submission notes: Not a false positive.
Added: No
I do not quite understand because now the same file is not reported positive on www.virustotal.com but still in ClamWin.

Does anybody understand?
Is this just a matter of waiting for an update in ClamWin?

Thanks for help,

Cousin Hub
View user's profileSend private message
False Positive In ClamWin
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
Make sure you have the most recent signatures for both the Main and Daily databases from the ClamAV Web site at http://www.clamav.net/. Compare their signature database version number(s) with the version numbers shown on ClamWin's menu (Help, About).

If the version numbers aren't the same, update the signatures manually and see if that fixes things. If they are the same version numbers, I'm not sure what to tell you. If that is the case, the problem may be due to some newer functionality included in ClamAV version 0.90.2, while ClamWin is using version 0.90.1.1. ClamAV's version 0.90.2 incorporates some exploit fixes that are unique to Linux, while ClamWin isn't affected.

Regards,
View user's profileSend private message
Re: False positive in ClamWin
Eufema


Joined: 14 Feb 2007
Posts: 1
Location: Netherlands
Reply with quote
Cousin Hub wrote:
Hi,
I had a false positive in ClamWin which was confirmed by a test on www.virustotal.com.
I reported it to ClamAv which sent me the following information in http://cvdpedia.clamav.net/daily/3065
Submission-ID: 995119
Sender: Hubert Gailly
Submission notes: Not a false positive.
Added: No
I do not quite understand because now the same file is not reported positive on www.virustotal.com but still in ClamWin.

Does anybody understand?
Is this just a matter of waiting for an update in ClamWin?

Thanks for help,

Cousin Hub


Hi, some time ago I also had in Program Launch, from a Danish creator, a warning. He examined it on more pc's at the same time; and found that on some pc's was the false positive as well on the others there was nothing. I downloaded and installed the program again and afterwards no harmful stuf was found; so it appeared to be a false positive, probably a fault in ClamWin. I received a warning to update to 0.90.2 but I could not succeed in installing/updating to this version. So I wait till this problem is solved.
View user's profileSend private message
False Positive
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
ClamWin 0.90.2 is being tested now and should be ready for downloading soon. Some antivirus programs treat potentially unwanted programs as viruses, and some don't--this might be your situation. A potentially unwanted program does not necessarily contain a virus/malware. It might be some code/program downloaded automatically from a Web site without your knowledge (cookies, etc.). It could also be a "broken" program that looks like it won't work. Usually this stuff is close to spyware. Some antivirus software programs confine themselves to viruses only and don't look at anything else.

You could do a search on Google for the name of the program that has the problem, and see what you can find out about it. If more than one antivirus flags something as containing virus/malware, however, it is probably something that you don't want to have/use.

Regards,
View user's profileSend private message
Cousin Hub


Joined: 22 Apr 2007
Posts: 4
Location: France
Reply with quote
Thanks for the replies,

In my case, the virus is said to be found in the database files and backup of of ms sqlserver : database of hmailserver , positive with E-Mail phising RB-601.
I check every single row (it is a small installation), I do not think there is a virus in it as ClamAV 0.90.1 is the only tool to report it positive.

Waiting for 0.90.2...

I don't know,

Hubert
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
false positives are not resolved by new version of the av but by updated signatures, you can report it directly to clamav web site
View user's profileSend private message
Cousin Hub


Joined: 22 Apr 2007
Posts: 4
Location: France
Reply with quote
Not sure if you have read my first post...
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 898
Location: Italy
Reply with quote
sorry not Very Happy
we have the plan to add our own signatures/false positives
View user's profileSend private message
Re: False positive in ClamWin
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Cousin Hub wrote:


Does anybody understand?
Is this just a matter of waiting for an update in ClamWin?


The virus database used in ClamWin is maintained by the ClamAV team and we cannot answer for them. You may try contacting them once again if you firmly believe it is a false positive.
View user's profileSend private message
False Positive
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
You might check it with VirusTotal one more time. Clam will ocasionally find a phishing-type malware that many of the other antivirus softwares don't bother with--I believe it now has some separate phishing signatures. I once had a piece of malware that was only recognized by Clam and VBA--two of the least know antivirus programs. If no one but Clam still recognizes it, then resubmit your sample to Clam at http://cgi.clamav.net/sendvirus.cgi and explain in the comments that you firmly believe it is a false positive. You could follow this up with email to one of the virus maintainers and tell them you have just resubmitted a false positive and would appreciate a response.

Regards,
View user's profileSend private message
Cousin Hub


Joined: 22 Apr 2007
Posts: 4
Location: France
Reply with quote
My problem is that the file is now only regonized as positive by ClamWIN.
Latest version of ClamAV in www.virustotal.com does not recognize it anymore :
the modification happened between the post of my false positive and ClamAV team answer
That's why I'm curious to see what will happen with 0.90.2...
Any timeframe?
View user's profileSend private message
False Positive
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
I don't think the version number will make any difference. The "problem" is in the signatures (perhaps that one signatue is not quite right), and that will not change with ClamWin version 0.90.2. My final suggestion is for you to contact the ClamAV person who told you that there was no false positive and ask them why was not false. Good luck!

Regards,
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
Cousin Hub wrote:
the virus is said to be found in the database files and backup of of ms sqlserver : database of hmailserver , positive with E-Mail phising RB-601.


* Signatures that start with "Email.Phishing" are not viruses, they detect phishing attempts.

* This is the signature:

Email.Phishing.RB-601:4:*:687474703a2f2f7777772e35332e636f6d2e

In english this translate into: scan all files of EMAIL TYPE for signature "http://www.53.com."

Knowing this information, it is feasible that your mail database does contain the string "http://www.53.com." in it some where.

Being that the type "4" (email) is present; I'm also wondering if hmailserver doesn't store your mail database in an email type format rather than in a ms/my sql format.

* I just updated my signatures from clamav and this particular sig is still present.
View user's profileSend private message
False positive in ClamWin
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic