ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Still quarantining chome.dll
WingNut


Joined: 19 Apr 2012
Posts: 1
Reply with quote
I have updated my application and updated the virus DB, and I am still getting false positive hits on chrome.dll. Is there a hotfix or exception list I can add chrome.dll to in order to prevent this?

Also, on another note. I've started having some FLV (downloads from Youtube) be detected as infected. Strange stuff lately..
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
It's a good idea to check all files with Jotti or Virus Total before you run them. You can exclude directories or files from ClamWin scans in the Filters tab, exclude matching filenames. Check the Help file for more info.

Regards,
View user's profileSend private message
swerenfl


Joined: 16 Jan 2012
Posts: 4
Location: Schaumburg, IL
Reply with quote
alch wrote:
fixed in a latest db update


These False Positives are popping up again. Is there a way to ignore these files while the virus definitions get updated? I freak out when I see the ***VIRUS DETECTED*** email every morning
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
Go to the ClamWin configurations menu via right click on the system tray icon. From the menu, select Configure ClamWin, filters, double click the New Items box between Alphabetical and X, insert the filename.extension or the entire listing from your directory, double click the New Items box again for another file or OK to quit.

This will exclude the filename and extension from ClamWin scheduled scans. A scan of the individual file will still detect a virus however.

Regards,
View user's profileSend private message
CHROME FALSE POSITIVE
johnp


Joined: 04 May 2012
Posts: 1
Reply with quote
To report that a fresh download 0f 0.97.4 is giving false positives with a fresh Chrome install 18.0.1025.168 still gives a false positive for chrome.dll - W32.Virut.Gen.D-148 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
Report the false positive to Clam AV at http://www.clamav.net/lang/en/sendvirus/ on the web. Be sure to select the false positive option. Clam AV should either whitelist the file or fix their signature within a few days. In the meantime, you can whitelist the file in ClamWin's filters as described above.

Regards,
View user's profileSend private message
Tried to report
dmespelt


Joined: 07 Nov 2011
Posts: 7
Reply with quote
I tried to report the false positive of chrome but was told "This file is not detected by ClamAV. Please update your cvd before reporting..."
Everything is up to date however.

Every morning I get five or six emails from the same machines because of "\Google\Chrome\Application\18.0.1025.162\chrome.dll: W32.Virut.Gen.D-148 FOUND"

I've added an exclusion to the directory and even the specific file... yet every morning I get more email.

Any ideas?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
Have you verified the file is really clean by scanning it with the Jotti or Virus Total online scanning services? Also, have you updated to the latest version of ClamWin (V.97.4), and are your signatures current? Are the detections always on the same machines? What about scanning the same file on another undetected machine?

Regards,
View user's profileSend private message
dmespelt


Joined: 07 Nov 2011
Posts: 7
Reply with quote
It's too big for jotti or virus total. I had norton's online checker look over the whole hard drive and it said I was fine. I then told clam to check the chrome.dll file and it didn't like it. I'm running clamwin v.97.4 and clam sentinel 1.19 (both latest) and have updated my defs. Detections are on the same five machines but a couple of them - once I added the file to the exclusion filter actually stopped sending emails. The others I've added the complete path and file name, path and *, path and *.* - I still get emails.

I copied the file to another machine that didn't have chrome installed and told clam to scan and it doesn't like the file either.

Hmmm.....
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
Send email to luca at clamav dot net and ask for instructions on submitting a file that is too large for the Clam submission interface.

There have been some false positives lately on Chrome after the recent security patches, which turns it into a brand new fle. So Clam's past whitelisting does not help. They will need the new file.

Regards,
View user's profileSend private message
dmespelt


Joined: 07 Nov 2011
Posts: 7
Reply with quote
Sent the email and file. He said the file is not detected by ClamAV so he can't do anything about it.

If it is unchecked then why do I get a dozen email each morning from Clam saying it's a virus?
Why can't I exclude it?

any ideas?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
Once in a while, there may be a ClamWin detection that is not detected by Clam AV or vice-versa. The reason is usually because the user has an old version of ClamWin. Since you are using ClamWin version .97.4, that is not the problem here. Is this a ClamWin detection (infected file) or a Clam Sentinel detection (suspicious file)? Clam AV can do nothing for you if it is a suspicious file--the only way to fix that is by whitelisting the file in Clam Sentinel's advanced settings, paths or files not scanned. Sentinel has its own heuristic monitor for suspicious file detection, and it will detect some clean .dll files as suspicious and quarantine them. If this is the case, Google may rebuild the file as needed, so go the whitelist route in Clam Sentinel.

Additionally, I saw some internal Clam AV email re: the Google false positives. They said that Clam AV islooking to it.

Regards,
View user's profileSend private message
dmespelt


Joined: 07 Nov 2011
Posts: 7
Reply with quote
Being new to the clam environment I was unaware that Sentinel had an exclusion area. I will try that on Monday. Thank you VERY much GuitarBob.

Great advice indeed! I thought that clamwin did all the work and didn't give sentinel enough credit.

I will post how it goes on Tuesday. Monday I'll set the exclusion on Sentinel and delete a few dozen emails from over the weekend. Wink

Thanks again,
- Don

p.s. - The Clam family has saved our school district a ton of money. Thanks!
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4867
Location: USA
Reply with quote
I'm glad Clam and related programs have helped you, Don. Clam AV, ClamWin, and Clam Sentinel are all small efforts compared to the strictly commercial AV programs. Clam does not have a large number of people preparing virus signatures, so its signature database is not a large one, although it does have over a million virus signatures. Keep it updated often, and run an occasional scan on your Windows machines with Malwarebytes Free (general malware) and Kaspersky's TDSSKiller (antirootkit) for extra protection.

Thanks for using the products.

Regards,
View user's profileSend private message
hakre


Joined: 22 Feb 2008
Posts: 4
Reply with quote
My ClamWin is reporting:

Code:

18.0.1025.168\chrome.dll: W32.Virut.Gen.D-148 FOUND


as well. I had not yet the time to look into this now (probably it's related to the earlier problem), so just for having this documented.

Also that file normally is too large in size for some online meta virus scanners, http://www.metascan-online.com/ allows up to 40 mb but sometimes their site does not work (and it requires javascript which I feel is counter-productive in a sensitive area).

Results: http://www.metascan-online.com/results/nsz64xg64br5850iu0fn1rwbkiinset0/cached

md5: c7d202b4da7c4bf77e9d2d85c0bfcfd3 *chrome.dll
View user's profileSend private message
False positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 3  

  
  
 Reply to topic