ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False positives becoming routine around here
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
I manage the computers for a few small businesses around town. They either don't want to pay for antivirus software, or have too many computers for that to be practical. ClamWin has long been my standard antivirus scanner. I always set ClamWin to move files to quarantine, as reporting only does not disable the virus and only serves to scare users that wouldn't know how to deal with a virus. For businesses where I serve as the entire IT department, I also have ClamWin set to email me on detection. This setup has worked nicely for me for several years now.

The last few months have become problematic. The false positive rate has gone through the roof. Every couple of months, including this morning, ClamWin up and decides that one or more Windows XP system files are infected. It quarantines them and I wake up to find a couple dozen email alerts in my inbox. Windows would normally replace the file with its backup copy in the DLL cache, but ClamWin quarantined it too. It's at that point that Windows XP generates a messagebox about inserting the Windows XP SP3 CD (which we don't have because the computers have been updated to SP3 and the original XP CDs don't have the newer, SP3 versions of the files) to copy the file. This messagebox scares users and must be canceled. A reboot will often cause a BSoD because system files are missing. Over the last six months, I've had this happen to msxml2.dll, user32.dll, wextract.exe this morning, and dozens of others.

Why aren't new updates to the virus signature database first tested on a fully-patched Windows XP SP3 system? Could you do the same for Windows 2000 and Windows Vista? This seems like an obvious step to prevent the majority of the false positive problems that ClamWin users have been having.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4362
Location: USA
Reply with quote
ClamWin uses the antivirus scanning engine and signature database provided by the Clam Antivirus project. Clam is essentially an antivirus program for use on email servers running the Linux operating system. ClamWin is another project unrelated to Clam that ports the Clam scanning engine over to Windows use and it is heavily dependent upon Clam. Clam is a fairly small operation as antivirus companies go, but ClamWin is even smaller--with only two part-time developers and volunteers for other tasks.

Every antivirus program has false positives. Sometimes you hear of some real doozies. Clam does have its share of false positives. Clam tests their signatures for false positives against "good" software before they are released. Unfortunately, they don't have enough Windows software to test against. Windows false positives are not a problem with their Linux email server primary user base. It is also unfortunate that Microsoft has to update their software so often. Finally, Clam would need to make some procedural changes and install more equipment to set up extensive testing of Windows programs for false positives.

The ClamWin developers are looking into the recent spate of false positives to see what can be done about it for its Windows user base. Hopefully something can be done to alleviate the problem.

Regards,
View user's profileSend private message
truecolor


Joined: 05 Jun 2009
Posts: 1
Reply with quote
http://simulationcreditauto.net/ simulation credit auto
Many thanks to Guitarbob for such a very useful post
View user's profileSend private message
Happened again
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
It's happened again. This is such a waste of my time as a system administrator that I'm about ready to buy the virus database maintainers a Windows XP SP3 machine against which to check definitions for false positives. Anyway, I got up this morning to find a bunch of these scan logs in my inbox (from ClamWin installations on my machines):

Code:
Scan Started Sun Jul 19 08:25:00 2009
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 20 processes - 325 modules ***
 *** Computer Memory Scan Completed ***

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb: Permission denied
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied
C:\pagefile.sys: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\master.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\mastlog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\model.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\modellog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\tempdb.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\templog.ldf: Permission denied
C:\WINDOWS\ServicePackFiles\i386\userinit.exe: Trojan.Agent-119428 FOUND
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied
C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119428 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 596476
Engine version: 0.95.1
Scanned directories: 3404
Scanned files: 31647
Infected files: 2
Data scanned: 7677.05 MB
Data read: 5778.75 MB (ratio 1.33:1)
Time: 4687.099 sec (78 m 7 s)
View user's profileSend private message
I am in the same boat...
innovate2000


Joined: 20 Jul 2009
Posts: 6
Reply with quote
except one of my machines fails to log on - it immediately logs off when a log on is attempted. ClamWin should have an option to eliminate folders from scanning - that would help with this specific issue anyway - can anyone offer suggestions on what I might try?

I've done a repair already - and none of the safe mode options work either.

All suggestions appreciated.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4362
Location: USA
Reply with quote
ClamWin does have the ability to eliminate folders/files from its scans. It's in the Configuration, Filters, Exclude Matching Filenames section. Here's a couple of items I have excluded:

File - C:\ProgramData\.clamwin\quarantine\*
Folder - C:\Malware\*

See Keith's post (Keith064) of today in the Virus Scanner forum. It tells what he did using Recovery Console.

Regards,
View user's profileSend private message
Thanks GuitarBob!
innovate2000


Joined: 20 Jul 2009
Posts: 6
Reply with quote
I will look at those posts. I will also use your suggestion for eliminating those items. Are there other files/folders (understanding that there is no liability to you) that you might suggest I exclude?

Thanks.
View user's profileSend private message
innovate2000


Joined: 20 Jul 2009
Posts: 6
Reply with quote
GuitarBob - I went to the Virus Scanner Forum and cannot seem to find the posts you suggest. Additionally I cannot find Keith064 to find his posts of today. Is there something I am doing wrong?
View user's profileSend private message
innovate2000


Joined: 20 Jul 2009
Posts: 6
Reply with quote
found it (the author was showing: ooounohu)
View user's profileSend private message
innovate2000


Joined: 20 Jul 2009
Posts: 6
Reply with quote
GuitarBob - Thanks for the info about the filter functionality - I didn't know I could add full paths (perhaps a note there would be helpful). If my filespec has spaces in it, should I enclose the path in quotes?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4362
Location: USA
Reply with quote
I'm not sure, but I don't think you need to enclose a space in quotes. Try it with a test copy of something like that to your desktop and see if it's okay.

Regards,
View user's profileSend private message
innovate2000


Joined: 20 Jul 2009
Posts: 6
Reply with quote
Thanks for all of your help!
View user's profileSend private message
This one was biting me too.
lincsilk


Joined: 21 Jul 2009
Posts: 1
Location: Nanaimo, BC, Canada
Reply with quote
Thank you for the above thread. This addressed my question and provided the answer. I was losing my userinit.exe and excel.exe files as infected.(Which they weren't. I'll head over to clamav and see if I can contribute to their definitions.
View user's profileSend private message
Happened again
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
It happened again. I'm really getting tired of seeing hundreds of these false positive detection reports in my inbox per month.

Code:
Scan Started Sat Jul 25 08:25:00 2009
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 20 processes - 320 modules ***
 *** Computer Memory Scan Completed ***

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb: Permission denied
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied
C:\pagefile.sys: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\master.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\mastlog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\model.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\modellog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\tempdb.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\templog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\upswsdb.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\upswsdb.mdf: Permission denied
C:\WINDOWS\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\ServicePackFiles\i386\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied
C:\WINDOWS\system32\dllcache\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\system32\notepad.exe: Trojan.Zbot-5074 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 603148
Engine version: 0.95.1
Scanned directories: 3405
Scanned files: 32307
Infected files: 4
Data scanned: 7765.57 MB
Data read: 5846.05 MB (ratio 1.33:1)
Time: 4822.734 sec (80 m 22 s)
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
could you please zip notepad.exe with password "clamwin" and email it to clamwin at clamwin dot com ?
Thanks,
Alch
View user's profileSend private message
False positives becoming routine around here
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 3  

  
  
 Reply to topic