ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False positives?
MOONCRICKET


Joined: 10 Apr 2012
Posts: 1
Reply with quote
My scan with ClamWin came up with the following viruses:

C:\Users\mary\AppData\Local\Google\Chrome\Application\18.0.1025.151\chrome.dll: W32.Virut.Gen.D-148 FOUND
C:\Users\mary\AppData\Local\Google\Chrome\Application\18.0.1025.151\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND
C:\Users\mary\AppData\Local\Google\Chrome\Application\chrome.exe: Trojan.Swrort-154 FOUND
C:\Users\mary\AppData\Local\Google\Chrome\Application\old_chrome.exe: Trojan.Swrort-154 FOUND
C:\Users\mary\Downloads\cnet2_clamwin-0_97_3-setup_exe.exe: Adware.Downloader-207 FOUND

I did a follow up scan with the following:
Avast
AVG
Panda
Bitdefender

...all of them came up clean. Does this mean my results are false positives?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
I know of some recent Virut.Gen false positives, and they have just been fixed by Clam AV. Try another scan in an hour or so, and if you get any more false detections, submit them to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web. Submit one for each new detection. You can zip submissions. If your submission is too large to submit, contact luca at clamav dot net for instructions.

Regards,
View user's profileSend private message
hakre


Joined: 22 Feb 2008
Posts: 4
Reply with quote
When I scan system memory I get the following report:

C:\Dokumente und Einstellungen\USERNAME\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\18.0.1025.152\chrome.dll: W32.Virut.Gen.D-148 FOUND

When I locate that file on disk and do a manual scan with clam-win, it's clean. I'm testing this since days, so there have been ClamWIN signature updates as well as reboots.

Is there a way to dump the image from memory so to submit this? (I post it in this forum because it's related to the filename and the virus name.)
View user's profileSend private message
swerenfl


Joined: 16 Jan 2012
Posts: 4
Location: Schaumburg, IL
Reply with quote
I get the same results. Any luck on a solution?


C:\Users\Administrator.DC1.000\AppData\Local\Google\Chrome\Application\18.0.1025.151\chrome.dll: W32.Virut.Gen.D-148 FOUND
C:\Users\Administrator.DC1.000\AppData\Local\Google\Chrome\Application\18.0.1025.152\chrome.dll: W32.Virut.Gen.D-148 FOUND
C:\Users\Administrator.DC1.000\AppData\Local\Google\Chrome\Application\18.0.1025.152\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND
View user's profileSend private message
virus scanner
dariusrickard


Joined: 12 Apr 2012
Posts: 1
Reply with quote
i encountered the same problem too
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1755
Reply with quote
fixed in a latest db update
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
A lot of the false positives at Clam AV involve the Virut generic detections. Each sigmaker is generally responsible for correcting false positives detected by one of his signatures. Clam AV has only one full-time sigmaker, so it may take a few days sometimes before the sigmaker is available to work on a false positive.

Regards,
View user's profileSend private message
hakre


Joined: 22 Feb 2008
Posts: 4
Reply with quote
Reported using the online form. Did also run against Metascan online (http://www.metascan-online.com/results/p3l0mkocxib270zwkgth1utp1nz0owvd) but no results there visible so far. Worked out successfully some days ago.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
Submissions scanned on Virus Total and Jotti are sent to Clam AV if it does not detect the virus. I have also seen some false positives from VirusTotal/Jotti that were sent to Clam, but I am not sure what happens if a few other AVs also detect a false positive. Just to be sure, send all false positives to Clam after scanning with VirusTotal/Jotti--it might increase the importance.

Regards,
View user's profileSend private message
DFR13


Joined: 15 Apr 2012
Posts: 2
Location: USA
Reply with quote
I am having the same (false positive?) reports and more. Is there (could there be added) a current list of known/ suspected false positives for the past week or so involving programs like chrome, adobe reader, etc... Am I asking for too much? I have had the above virus report for chrome 18.0.1025.152 and again (W32.Virut.Gen.D-148) when I updated to chrome x.162. I also received a positive for Adobe Reader 10.12 and 10.13 (specifically the same file, Data1.cab) of the Trojan.Decay-1
View user's profileSend private messageSend e-mail
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
Every time there is an update/patch to widely-used software, there is a possibility the software will trigger one of the Clam AV generic signatures--simply because that version of the program did not exist at the time the Clam signature was prepared and checked on its false positive "farm." It is impossible for Clam to have all applications that presently exist and all applications that will exist on the "farm." So it is up to us users to report false positives when we can. One way to look at it is that the Clam AV engine is doing its job.

Perhaps the ClamWin developers could do something about false positives via the QRecover quarantine browser that now prevents the quarantine of some Microsoft/Windows false positives.

Regards,
View user's profileSend private message
Re: False positives?
tizef


Joined: 24 Feb 2012
Posts: 60
Location: France
Reply with quote
MOONCRICKET wrote:
C:\Users\mary\Downloads\cnet2_clamwin-0_97_3-setup_exe.exe: Adware.Downloader-207 FOUND

Hi Mary, Iím afraid that one is not a false positive. Please take a look at this related thread on the "clamav-win32" mailing list.
May I suggest always downloading softwares from their official website ?


Last edited by tizef on Sat Mar 23, 2013 8:35 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
CNet has distributed adware with some of its downloads in the past on Download.Com. See this thread on a forum at http://forums.cnet.com/7723-12543_102-345901/adware-on-download-com/ on the web. I hear about it most often with security software.

Make sure you check out any program (even an antivirus program!) with Jotti or Virus Total after you download it--before you run/install it. Keep in mind that antivirus programs do not all recognize adware as malicious, so you might see only a few detect adware in a file. Nod32 usually spots adware, in my experience, so you can use it as a guide. If an application comes with a toolbar, do not blindly click OK to it when installing. Sometimes the adware is optional, and in that case, most antivirus programs will not detect it because the user has the option.

Regards,
View user's profileSend private message
Re: False positives?
tizef


Joined: 24 Feb 2012
Posts: 60
Location: France
Reply with quote
MOONCRICKET wrote:
C:\Users\mary\Downloads\cnet2_clamwin-0_97_3-setup_exe.exe: Adware.Downloader-207 FOUND

BTW : ClamWin 0.97.4 has been released a week before you joined the forum ;-)


Last edited by tizef on Sat Mar 23, 2013 8:36 pm; edited 1 time in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
Each new verson of ClamWin has some increased functionality that older versions do not have. If you are not using the latest version, there is a chance that a file could either be falsely detected in error or not detected in some cases. Upgrade to the latest ClamWin verson, and try another scan.

Regards,
View user's profileSend private message
False positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 3  

  
  
 Reply to topic