ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
alexsupra


Joined: 19 Aug 2009
Posts: 19
Location: russia, saint-petersburg
Reply with quote
[quote="alch"]could you please zip notepad.exe with password "clamwin" and email it to clamwin at clamwin dot com ?
Thanks,
Alch[/quote]

it can be impossible cause executable files in zip format even in case of password usage can be rejected by mail servers (e.g.: gmail.com). it seems to me that 7z is much more suitable because
1. mail servers ignore execatable files in 7z
2. compression is better thus filesize is less.
View user's profileSend private messageSend e-mail
And again...
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
It's happened again! I think I'm going to bump this thread each time I get dozens of false positive reports in my inbox. This business where ClamWin finds far more false positives than true positives needs to stop. Should I buy the ClamAV folks a Windows computer to test against?

Code:
Scan Started Sun Feb 14 08:40:00 2010
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 19 processes - 294 modules ***
 *** Computer Memory Scan Completed ***

C:\WINDOWS\ServicePackFiles\i386\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\system32\userinit.exe: W32.Virut-82 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 712836
Engine version: 0.95.3
Scanned directories: 5673
Scanned files: 30162
Infected files: 2
Data scanned: 7377.29 MB
Data read: 5358.15 MB (ratio 1.38:1)
Time: 4210.016 sec (70 m 10 s)
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
All Windows programs would not fit on one computer! You would need many banks of them, and each time a program is changed, the false positive game changes. It also changes each time a new signature is prepared, because there's nothing stopping a malware program from using some of the same code that is used/will be used in a good program. Malware can use the same installers, packers, encryptors, and even the same subroutines as "good" programs. It is impossible to have a false positive check that includes every good program. And, even if they could all be included, it would take too long to verify a signature--if you could get all that hardware working together nicely. Each AV company tries to get a balance, which includes hardware, software, time, and budget. Most certainly Clam could do better with a bigger budget, more personnel, and/or more equipment.

Clam could certainly use more Windows programs among its "good" samples, more computer hardware on which to run them, and more systems programmers to make sure everything works together smoothly. At the moment, its personnel are performing multiple functions on a limited budget with whatever excess hardware SourceFire does not use for the Snort operation. The AV game is getting expensive, resource intensive, and requires consteant innovation. Most people who use both Clam/ClamWin do so freely, without paying a dime. Contact Luca at ClamAV dot net if you would like to help Clam. You know the contact(s) for ClamWin.

Regards,
View user's profileSend private message
They just need to test Windows system files
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
GuitarBob wrote:
All Windows programs would not fit on one computer! You would need many banks of them, and each time a program is changed, the false positive game changes. It also changes each time a new signature is prepared, because there's nothing stopping a malware program from using some of the same code that is used/will be used in a good program. Malware can use the same installers, packers, encryptors, and even the same subroutines as "good" programs. It is impossible to have a false positive check that includes every good program. And, even if they could all be included, it would take too long to verify a signature--if you could get all that hardware working together nicely. Each AV company tries to get a balance, which includes hardware, software, time, and budget. Most certainly Clam could do better with a bigger budget, more personnel, and/or more equipment.


GuitarBob, I'm not talking about Windows programs! I'm talking about Windows itself! About once a month, 22 ClamWin installations across my Windows XP SP3 fleet all cough up false positives. These files are almost always Microsoft Windows system files (usually .exe and .dll) within C:\Windows\System32\. Every few months my patience wears thin and I post to this thread again.

So why can't the ClamAV signature-database maintainers add vanilla Windows XP, Vista, and 7 installations to their test bench (or at least a few hundred megabytes of .exe files from System32)? It seems that this little bit of effort would save us ClamWin users a ton of time! And then, perhaps, we could finally switch our computers from "Report only" back to "Move to quarantine".
View user's profileSend private message
lordpake


Joined: 01 Mar 2009
Posts: 21
Reply with quote
I can imagine one reason is Windows desktop users are not their core target audience.

This along with probable priorization of available resources is likely scenario Smile


I hope you don't use ClamWin as primary AV?
View user's profileSend private message
And again
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
And yet again...

Code:
Scan Started Sun Feb 28 07:50:00 2010
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 18 processes - 274 modules ***
 *** Computer Memory Scan Completed ***

C:\WINDOWS\notepad.exe: Trojan.Agent-142482 FOUND
C:\WINDOWS\ServicePackFiles\i386\notepad.exe: Trojan.Agent-142482 FOUND
C:\WINDOWS\system32\notepad.exe: Trojan.Agent-142482 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 723717
Engine version: 0.95.3
Scanned directories: 3540
Scanned files: 23934
Infected files: 3
Data scanned: 7577.72 MB
Data read: 4807.71 MB (ratio 1.58:1)
Time: 4016.656 sec (66 m 56 s)
View user's profileSend private message
And again...
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
And again...
Code:
Scan Started Tue Mar 30 07:50:00 2010
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 18 processes - 274 modules ***
 *** Computer Memory Scan Completed ***

C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\unregmp2.exe: Trojan.Agent-148484 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 749679
Engine version: 0.95.3
Scanned directories: 3564
Scanned files: 24222
Infected files: 1
Data scanned: 7561.65 MB
Data read: 4838.22 MB (ratio 1.56:1)
Time: 4147.719 sec (69 m 7 s)


I've got to ask; what's the point of having a Windows client (ClamWin) and scanning the whole C: drive when every month some innocent Microsoft file in C:\Windows\ is accused if being a trojan? Kudos to alch and the other ClamWin developers for their work, but it seems the biggest hindrance to the ClamWin project is the apathy of the ClamAV database maintainers toward the Windows platform.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
There is no perfect antivirus program. They all have false positives. Bitdefender had a real bad false positive last week.

I understand ClamWin is working on a fix for false positives in the Windows directory.

The Clam sigmakers are not apathetic to false positives. Most of the viruses for which they get signatures are Windows viruses, and the signatures are checked for false positives against a "farm" of "good" files. However, the farm does not/could not have every version of every file in use. Furthermore, many viruses use some of the same code/routines as "good" files--installers, encryptors, decryptors, etc. Oftentimes, Clam cannot unpack/unobfuscate a virus file, and the sigmakers have to make sure it is "evil" and then get a hex signature based on the file characteristics. If a commonly-used installer/etc. happens to be included in the characteristics used, the signature may be similar to the signature of some good file. If that good file is not in the false positive "farm" files, there may be a false positive.

Regards,
View user's profileSend private message
And again the day after...
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
GuitarBob, thanks for actually acknowledging the problem instead of just coming up with excuses for why the situation cannot be addressed. This is the first I've heard a solution is in the works. Awesome! When I submit a false positive to http://cgi.clamav.net/sendvirus.cgi http://cgi.clamav.net/sendvirus.cgi, is my submitted file added to ClamAV's false positive farm?

In other news, I got another cluster of false positive reports today, this time with iexplore.exe:
Code:
Scan Started Wed Mar 31 08:25:00 2010
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 20 processes - 334 modules ***
 *** Computer Memory Scan Completed ***

C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\master.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\mastlog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\model.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\modellog.ldf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\tempdb.mdf: Permission denied
C:\Program Files\UPS\WSTD\MSSQL$UPSWSDBSERVER\Data\templog.ldf: Permission denied
C:\WINDOWS\ie7\iexplore.exe: Trojan.Poison-1380 FOUND
C:\WINDOWS\ServicePackFiles\i386\unregmp2.exe: Trojan.Agent-148484 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 750869
Engine version: 0.95.1
Scanned directories: 3750
Scanned files: 35164
Infected files: 2
Data scanned: 7856.74 MB
Data read: 5141.63 MB (ratio 1.53:1)
Time: 5316.656 sec (88 m 36 s)

[/i]
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
Did you verify the false positives with another source--like Jotti, Virus Total, Threat Expert, or Anubis? Submit them to Clam if you did verify them.

False positive files are processed either by dropping the original signature or by whitelisting the false positive file in Clam's signature database. The original signature is dropped if it was just wrong. If the original signature was good and catches malware, it can't be dropped, so the false positive file is whitelisted in Clam's signature database.

Regards,
View user's profileSend private message
Of course...
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
GuitarBob wrote:
Did you verify the false positives with another source--like Jotti, Virus Total, Threat Expert, or Anubis? Submit them to Clam if you did verify them.


Yes, I use VirusTotal every time. If it's a false positive (98% of the time it is), I follow up by submitting it to Clam. Sorry, I thought I implied that when I said,

voidxor wrote:
When I submit a false positive to http://cgi.clamav.net/sendvirus.cgi, is my submitted file added to ClamAV's false positive farm?


I will often post my scan report here after submitting a false positive to Clam, just to make a point about how frequently I wake up to a slew of false positive scan reports in my inbox.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
ClamWin version .96 will have protection for false positives of Microsoft files that are digitally signed. Such false positives will be excluded from quarantine. There will be a note on the scan report that there is a false positive; however, users should still send the file to Clam so they can correct the false positive. This is a feature that has long been needed.

Regards,
View user's profileSend private message
AND AGAIN!
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
GuitarBob wrote:
ClamWin version .96 will have protection for false positives of Microsoft files that are digitally signed. Such false positives will be excluded from quarantine. There will be a note on the scan report that there is a false positive; however, users should still send the file to Clam so they can correct the false positive. This is a feature that has long been needed.


I can't tell you how thrilled I am to hear that! It sounds like somebody is finally addressing the problem! In the meantime, I got my third dose of false positives within one week:

Code:
Scan Started Sun Apr 04 08:10:00 2010
-------------------------------------------------------------------------------

 *** Scanning Programs in Computer Memory ***
 *** Memory Scan: using ToolHelp ***


 *** Scanned 21 processes - 374 modules ***
 *** Computer Memory Scan Completed ***

C:\WINDOWS\Driver Cache\i386\sp2.cab: Trojan.Rootkit-2660 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 753703
Engine version: 0.95.3
Scanned directories: 5884
Scanned files: 30355
Infected files: 1
Data scanned: 9905.68 MB
Data read: 6849.44 MB (ratio 1.45:1)
Time: 3189.750 sec (53 m 9 s)


Have I made my point yet about how frequently I have to chase false positives!?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4390
Location: USA
Reply with quote
The sig appears good in this case--it has caught about 100 viruses submitted to Clam. The problem is that the virus writer is using the same install code that other software uses. There is nothing stopping them from doing that, and as I have mentioned lots in these forums, Clam does not have every verson of every legitimate Windows program on its false positive farm.

This particular signature will probably be fixed by "whitelisting" any false positive files, so please submit them. If the sig is dropped, it will be fixed for good, as Clam makes note of this particular type of signature.

Regards,
View user's profileSend private message
Longer signatures
voidxor


Joined: 01 Jan 2009
Posts: 21
Location: Lawrence, Kansas
Reply with quote
This is probably a dumb question, but why not make the signatures longer so that the viruses are more uniquely identified and fewer false positives persecuted? Is having the signature database be as small as possible worth three false positives a week!?
View user's profileSend private message
False positives becoming routine around here
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 3  

  
  
 Reply to topic