We use ClamWin extensive to protect our networks from viruses and so far everthing has been great. This morning however we had a bunch of email alerts from various server reporting that Trojan.Agent xxxxxx has been found. xxxxxx varying from machine to machine to machine.

The bizarre thing is without exception these infections have been found in the folders of other virus and spyware removal tools that we use. Spybot, MalwareBytes, aSquared have all suddenly become infected with various flavours of Trojan.Agent xxxxxx

The infections are not being reported in quarantive folders but either in the applications folders themselves or the main repository that we store the installtion files in.

Could this be a collection of false positives? If so where do I go to check such things?

I also had a false positive in my Malwarebutes' Anti-malware program and a couple of others yesterday. I notified Clam, and I no longer get it when I scan those files, so they have corrected the signature.

You can check if a file is a false positive by uploading it to Jotti or to VirusTotal on the web. Either will scan it for you with multiple antivirus programs, including Clam. If more than a couple of AVs besides Clam find a file is infected, it's probably not a false positive. If it is a false positive, you should notify Clam so they can fix it. The Clamwin Anti-Malware page has the locations for Jotti, VirusTotal, and the Clam submission page.

Regards,

Ok this is starting to get a little out of hand. Yet more virus reports that are reporting actual removal tools as viruses. The latest report contains;

C:\Documents and Settings\gcadmin\Local Settings\Temporary Internet Files\Content.IE5\EVRWI4NL\clamwin-update-0.93-0.93.1[1].exe: Trojan.Agent-65355 FOUND
C:\Documents and Settings\gcadmin\Local Settings\Temporary Internet Files\Content.IE5\EVRWI4NL\clamwin-update-0.93-0.93.1[1].exe: Removed
C:\Documents and Settings\gcadmin\Local Settings\Temporary Internet Files\Content.IE5\KLHCVB3A\clamwin-update-0.93.1-0.94[1].exe: Trojan.Agent-65355 FOUND
C:\Documents and Settings\gcadmin\Local Settings\Temporary Internet Files\Content.IE5\KLHCVB3A\clamwin-update-0.93.1-0.94[1].exe: Removed

What to do?

That is a false positive, affecting several different files, and several users have notified Clam about it. If you find the same infection in several different files, it is probably a false positve, but you should check it out to be sure.

The Clam sigmakers usually take care of their own false positives. It should be fixed in a day or so.

Regards,