ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
BC.Exploit.CVE_2011_3412
user_clamwinner


Joined: 19 Dec 2011
Posts: 7
Reply with quote
Clamwin scanner (ver. 0.97.2) has removed a lot of "friendly" files Microsoft Exel (*. xls)!!! Among them were many important files, reports on the work! What should I do? Are you going to produce the correct update, which will not delete the *. xls files?
View user's profileSend private message
gbaker3


Joined: 19 Dec 2011
Posts: 1
Reply with quote
I have had the same problem beginning with a scan started Sun Dec 18 0200 (-5 GMT). I am receiving all kinds of false positives for files with Microsoft Office file extensions. It is detecting BC.Exploit.CVE_2011_3412 . I know these files are not infected since we have had some of them for years without issue.
View user's profileSend private message
user_clamwinner


Joined: 19 Dec 2011
Posts: 7
Reply with quote
gbaker3 wrote:
I have had the same problem beginning with a scan started Sun Dec 18 0200 (-5 GMT). I am receiving all kinds of false positives for files with Microsoft Office file extensions. It is detecting BC.Exploit.CVE_2011_3412 . I know these files are not infected since we have had some of them for years without issue.

Yes! Many of the files a few years, as well as in the settings, users stood "Remove" - ​​a scanner remove the necessary documents for many years of work! Will there be a critical update with the corrected database?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4766
Location: USA
Reply with quote
There was a false positive on some Clam AV bytecode signatures yesterday. Clam AV is aware of it and it should be corrected soon.

I hope you had ClamWin set to quarantine and not to remove. Can you exclude .doc and .xls files from ClamWin detection and then use the ClamWin restore program to get the files back out of quarantine?

Regards,
View user's profileSend private message
user_clamwinner


Joined: 19 Dec 2011
Posts: 7
Reply with quote
GuitarBob wrote:
There was a false positive on some Clam AV bytecode signatures yesterday. Clam AV is aware of it and it should be corrected soon.

I hope you had ClamWin set to quarantine and not to remove. Can you exclude .doc and .xls files from ClamWin detection and then use the ClamWin restore program to get the files back out of quarantine?

In the settings found "Remove"! Can you recover lost files?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4766
Location: USA
Reply with quote
No files can be recovered if you have used the Remove option for infected files. That is why it is not a recommended option.

I guess there may be a chance you could recover something by using an "undelete" type program--look at the ClamWin quarantine directory via the program and see if anything is there to recover.

If a file is important to you, backup, backup, backup.

Regards,
View user's profileSend private message
ljr0


Joined: 04 Feb 2012
Posts: 1
Location: California, USA
Reply with quote
This is back. I have several xls files showing this virus which I believe is still a false positive.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4766
Location: USA
Reply with quote
Yes. Clam AV furnishes the scan engine and signature database used by ClamWin. Each sigmaker at Clam is responsible for correcting his own false positive detections. They may not work every day, so it may take several days. The bytecode signatures take quite a bit of time to prepare. Report false positives (and undetected viruses) to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web. For false positives, change the submission type on the submission form from "virus" to "false positive."

Report the false positive(s) if you have not yet doneso. In the meantime, please keep ClamWin set to Quarantine infected files. You should also consider configuring ClamWin's configuration option, filters to exclude from scanning those filename.extensions that are falsely detected. Then you can restore them from quarantine using ClamWin's Quarantine Browser. After 2/3 days, remove them from the ClamWin filters and see if the signature has been corrected.

Regards,
View user's profileSend private message
user_clamwinner


Joined: 19 Dec 2011
Posts: 7
Reply with quote
a week do not correct the false activity. When will the correct database update clamwin?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4766
Location: USA
Reply with quote
Soon, I hope. I just sent an email to the Clam AV team.

Regards,
View user's profileSend private message
BC.Exploit.CVE_2012_0184-1
norbert


Joined: 18 May 2012
Posts: 1
Location: massachusetts
Reply with quote
This is the message I received from a scan yesterday. Should I consider this a false positive? Or if not, what should I do?

C:\Windows\Installer\7223a.msi: BC.Exploit.CVE_2012_0184-1 FOUND
C:\Windows\Installer\a64e28.msi: BC.Exploit.CVE_2012_0184-1 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4766
Location: USA
Reply with quote
Scan the file(s) with ClamWin today and see if there is still a detection for them. If there is, upload the files (one at a time) to Jotti or Virus Total, where you can scan them with multiple AVs, including the Clam AV engine used by ClamWin. If no other AVs (or only a couple of other AVs) see an infection, it is probably a false positive, so you should upload the file to Clam AV so they can correct their signature. If a file is too large to upload, send an email to luca at clamav dot net for instructions.

If you have used a file for a good length of time (say longer than a month), and the file has not changed, it is probably a false positive.

Regards,
View user's profileSend private message
BC.Exploit.CVE_2011_3412
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic