ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
NB
cshorter


Joined: 17 May 2012
Posts: 1
Location: Atlanta, GA
Reply with quote
Note to self, write a virus into chrome.dll and post on forums.
View user's profileSend private message
Chrome no like
dmespelt


Joined: 07 Nov 2011
Posts: 7
Reply with quote
Well I've added the chrome files and directory to both sentinel and clam itself and I still get a dozen emails in the morning reporting it.

I've also had a machine that didn't have sentinel (oops) and it reported it as well

*sigh*
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
Email luca at clamav dot net for instructions on uploading a file to Clam that is too large for the regular submission process.

Remember that if Clam Sentinel detects a "suspicious" file, Clam AV can do nothing about it. You should whitelist all false positive Sentinel suspicious detections in the Sentinel program, as they are heuristic detections by the Sentinel heuristic engine--not actual virus detections by the ClamWin Clam engine. The heuristic engine does not have signatures, so this is the only way to handle the Sentinel suspicious files that are false positives.

Regards,
View user's profileSend private message
ReclaiMe


Joined: 07 Jun 2012
Posts: 1
Reply with quote
Hello,

Looks like we getting ClamAV positive for any .NET application, reporting PUA.Win32.Packer.NetExecutable
See for example https://www.virustotal.com/file/0466895bd24a3b6ca1708471e790898478db665e72829ce325e5af2a887adc5e/analysis/1339064066/
which is pretty much a standard Microsoft Web Platform Installer module; however, VirusTotal produces a warning for seemingly any .NET application.

Further, the ClamAV false positive form says "do not report PUA.*". But, declaring any .NET application potentially unwanted looks like a bit overkill?

Can someone please clarify if it is the issue with ClamAV, a policy decision for ClamAV, or Virustotal just set up something incorrectly?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4872
Location: USA
Reply with quote
This is an overzealous use of the PUA for some packers. I have brought it to Clam's attention. There has been a recent signature update, so it may be fixed, but they may decide not to.

As you say, Clam has always said that since PUA detections are optional per the user, they do not adjust the PUA signatures. In my personal opinion, you do not need PUA detection, so I suggest that you turn it off. Many "good" web sites now use scripts (including javascript--packed and otherwise) that are detected by some PUA signatures. Many "good" programs now use packers that are detected by some some PUA signatures. Many users are confused by a PUA detection. Some AVs do not seem to even use PUA now--I do not see as many PUA detections from other AVs as I used to. So, I suggest you turn off PUA detection and confine your AV to the detection of actual viruses/malware.

Regards,
View user's profileSend private message
False positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 3 of 3  

  
  
 Reply to topic