ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
false positive rejected by report system...
Oznola


Joined: 23 Jul 2011
Posts: 8
Location: Las Vegas, NV USA
Reply with quote
hi,

i am getting false positive reports for a couple of .dll files that virus total says are safe.

so i tried to submit them to the clamwin system as false positive. the report was rejected with this message...

Quote:
Result:
This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures.

Please correct the above errors and retry. Thank you for helping the ClamAV project.


so i updated the database and ran clamwin again but got the same result from the scanner and the false positive report system.

so far as i know there are no thrid-party virus databases on my machine.

i want to use the clamwin virus database

HOWEVER, a few times when i have downloaded files i have encountered some paid virus scanner that comes with the download such as macfee or something. which i removed using the vista control panel for removing programs.

please advise.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
One possibliity:
Are you also using the Clam Sentinel program with ClamWin? If you are, then Clam Sentinel uses its own heuristic scanner to detect suspicious files that are not detected by ClamWin. Is your detection a "suspicious file" or an "infected file"? An infected file detection is a ClamWin detection, but a suspicious file detection is a Clam Sentinel detection. Clam AV can not process false positive detections that are Clam Sentinel suspicious files. You will have to exclude these files from Clam Sentinel via Advanced Settings, Paths Or Files Not Scanned.

Another possibility:
Do you have ClamWin configured to detect PUA (Potentially Unwanted Applications)? If so, then remove the configuration to detect PUA. PUA detection is broken--it does not detect real viruses--it only detects files that are heavily packed or that contain virus-like tools. You do not need to be bothered by PUA detections. A real virus will not be a PUA detection.

Regards,
View user's profileSend private message
Oznola


Joined: 23 Jul 2011
Posts: 8
Location: Las Vegas, NV USA
Reply with quote
hi,

i never installed clam sentinel. i searched for it on my system using the vista start-up menu search box and it was not found.

i have never set the option to detect PUA files. also, i cannot find the PUA option on the "Configure ClamWin" control panel.

it is possible this PUA option is set but i cannot find it to check.
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Hi Oznola,

Could you please copy and paste the scan report where these DLLs are detected?

Regards,
Lipper
View user's profileSend private message
Oznola


Joined: 23 Jul 2011
Posts: 8
Location: Las Vegas, NV USA
Reply with quote
indeed i can...

Quote:


----------- SCAN SUMMARY -----------

Known viruses: 1495821

Engine version: 0.97.6

Scanned directories: 32187

Scanned files: 135723

Infected files: 0



Total errors: 2

Data scanned: 28563.50 MB

Data read: 48133.00 MB (ratio 0.59:1)

Time: 10034.281 sec (167 m 14 s)



The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:

C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\AudioSes.dll: [Win.Trojan.Fakesmoke-21] FALSE POSITIVE FOUND

C:\Windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6000.16865_none_2dcbeeccc8adc633\aaclient.dll: [Win.Trojan.Agent-52863] FALSE POSITIVE FOUND

Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at http://www.clamav.net/sendvirus/

--------------------------------------

Completed

--------------------------------------
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Thank you. I too, have received numerous detections such as these from ClamWin in recent weeks. However, ClamAV has never 'rejected' them when I submit them as false positives. But then, they haven't corrected the false positives either.

I'm actually not sure what's going on, but it would appear that ClamWin is glitching in some way. One file that I'm having issue with is admparse.dll. When I scan the file at https://www.virustotal.com/file/08279d497f9fb22f82314b2ae537a1a9919597422504fd7fa285f1b18b84652e/analysis/ Virus Total, ClamAV does not detect it. When the same file is scanned at https://www.metascan-online.com/en/scanresult/file/41286aa68d524d5fb041a52cf2e5e7cd Metascan, ClamWin detects it as Win.Trojan.Agent-38481.

Be patient, it is New Year's Eve and help may be slow to arrive. Be calm, I'm confident we're not infected. And Happy New Year to you!

Regards,
Lipper
View user's profileSend private message
Oznola


Joined: 23 Jul 2011
Posts: 8
Location: Las Vegas, NV USA
Reply with quote
roger that,,,


Cool
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Guys: I have noticed lots of Trojan false positive detections in the System 32 and Winsxs folders. I have reported them to Clam.

Clam is mostly preparing automated signatures now. The automated signatures might need a bit of "fine tuning," which I have mentioned to Clam.

Win.Trojan.Fakesmoke-21 was published 12-24-12. It is an MDB (main code section) signature that appears to be automated. Win.Trojan.Agent-52863 was published 12-22-12. It is also an MDB signature that appears to be automated. So they are both recently published, automated signatures. The MDB sigs are the ones that I think need some "fine tuning." It appears to me that if a malware file contains an installer, the automated MDB sigs will pick up the installer code and not the actual malware code. Anyone can use an installer--both malware authors and "good" authors.

I do not know why ClamWin would detect an infection that Clam AV does not detect--unless there is some divergence in the code. It may also be that, for some reason, the false positive submissions to Clam AV are not set up to use the new automated signatures. I will mention this to the Clam AV team.

Regards,



Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Quote:

Scan Started Sun Dec 30 22:53:59 2012

-------------------------------------------------------------------------------

WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\071E7292-68DB-4B85-AC15-142E12FE74FA.bin: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied

C:\Documents and Settings\Owner\My Documents\DoNotRemove\K-Meleon1.5.4\kemNT-7.4.zip: Win.Trojan.Agent-67787 FOUND
C:\Documents and Settings\Owner\My Documents\DoNotRemove\K-Meleon1.5.4\tools\keith\keith.exe: Win.Trojan.Agent-67787 FOUND
C:\Documents and Settings\Owner\My Documents\Software\Comodo\CLT.rar: PUA.Logger.FRZ.173.UNOFFICIAL FOUND
C:\Documents and Settings\Owner\My Documents\Software\K-Meleon\keith.exe: Win.Trojan.Agent-67787 FOUND
C:\WINDOWS\Dell\NVidia\nvrd32.sys: WIN.Trojan.Agent-44393 FOUND
E:\My Docs\DoNotRemove\K-Meleon1.5.4\kemNT-7.4.zip: Win.Trojan.Agent-67787 FOUND
E:\My Docs\DoNotRemove\K-Meleon1.5.4\tools\keith\keith.exe: Win.Trojan.Agent-67787 FOUND
E:\My Docs\Software\Comodo\CLT.rar: PUA.Logger.FRZ.173.UNOFFICIAL FOUND
E:\My Docs\Software\K-Meleon\keith.exe: Win.Trojan.Agent-67787 FOUND
E:\Universal BU\MyDocs\MyDocs\Software\K-Meleon\kemNT-7.4.zip: Win.Trojan.Agent-67787 FOUND
F:\My Docs\DoNotRemove\K-Meleon1.5.4\kemNT-7.4.zip: Win.Trojan.Agent-67787 FOUND
F:\My Docs\DoNotRemove\K-Meleon1.5.4\tools\keith\keith.exe: Win.Trojan.Agent-67787 FOUND
F:\My Docs\Software\Comodo\CLT.rar: PUA.Logger.FRZ.173.UNOFFICIAL FOUND
F:\My Docs\Software\K-Meleon\keith.exe: Win.Trojan.Agent-67787 FOUND
F:\Universal BU\MyDocs\MyDocs\Software\K-Meleon\kemNT-7.4.zip: Win.Trojan.Agent-67787 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 1754690
Engine version: 0.97.6
Scanned directories: 6481
Scanned files: 50599
Infected files: 15
Data scanned: 27291.42 MB
Data read: 55929.66 MB (ratio 0.49:1)
Time: 7488.187 sec (124 m 48 s)

The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:
C:\Program Files\Outlook Express\setup50.exe: [Win.Trojan.Barys-43] FALSE POSITIVE FOUND
C:\WINDOWS\ie8\admparse.dll: [Win.Trojan.Agent-38481] FALSE POSITIVE FOUND
C:\WINDOWS\system32\d3d9.dll: [Win.Trojan.508183] FALSE POSITIVE FOUND
C:\WINDOWS\system32\dllcache\d3d9.dll: [Win.Trojan.508183] FALSE POSITIVE FOUND
C:\WINDOWS\system32\dllcache\setup50.exe: [Win.Trojan.Barys-43] FALSE POSITIVE FOUND
C:\WINDOWS\system32\dllcache\winlogon.exe: [Win.Trojan.Agent-30482] FALSE POSITIVE FOUND
C:\WINDOWS\system32\winlogon.exe: [Win.Trojan.Agent-30482] FALSE POSITIVE FOUND
Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at http://www.clamav.net/sendvirus/

--------------------------------------
Completed
--------------------------------------


The non Microsoft FPs have been corrected by ClamAV signature updates. winlogon.exe is detected by ClamAV so I have submitted it through the normal channel. admparse.dll above, and the two files listed below are not detected by ClamAV so cannot be submitted as FPs. Very strange.

d3d9.dll NOT DETECTED BY CLAMAV BUT DETECTED BY CLAMWIN
https://www.virustotal.com/file/f1abf07cc45f9c013b9f53e64820ecb12ac9b1e681b9a1703e30a0637e7d9bb6/analysis/
https://www.metascan-online.com/en/scanresult/file/df515187b717453fae89fec7df477e35

setup50.exe NOT DETECTED BY CLAMAV BUT DETECTED BY CLAMWIN
https://www.virustotal.com/file/3f2d885c2be50b1a1cf4d23204fc11141c8b74c749643e8281f9e65aefbb3c94/analysis/
https://www.metascan-online.com/en/scanresult/file/90964418ee7944ed886389768ca2e766
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
The latest scan of my system drive:

Quote:
Scan Started Wed Jan 02 22:35:56 2013
-------------------------------------------------------------------------------
WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied
WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied
C:\Documents and Settings\Owner\My Documents\DoNotRemove\K-Meleon1.5.4\kemNT-7.4.zip: Win.Trojan.Agent-67787 FOUND
C:\Documents and Settings\Owner\My Documents\DoNotRemove\K-Meleon1.5.4\tools\keith\keith.exe: Win.Trojan.Agent-67787 FOUND
C:\Documents and Settings\Owner\My Documents\Software\Dell\Done\R218148.exe: Win.Trojan.Agent-76705 FOUND
C:\Documents and Settings\Owner\My Documents\Software\K-Meleon\keith.exe: Win.Trojan.Agent-67787 FOUND
C:\Program Files\AVAST Software\Avast\Aavm4h.dll: Win.Trojan.Agent-79280 FOUND
C:\Program Files\AVAST Software\Avast\AavmRpch.dll: Win.Trojan.5193734 FOUND
C:\Program Files\AVAST Software\Avast\aswCmnIS.dll: Win.Trojan.4123558 FOUND
C:\Program Files\AVAST Software\Avast\aswProperty.dll: Win.Trojan.4769827 FOUND
C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll: Win.Trojan.Agent-79264 FOUND
C:\Program Files\AVAST Software\Avast\Setup\INF\aswFsBlk.sys: Win.Trojan.4043115 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1516435
Engine version: 0.97.6
Scanned directories: 4828
Scanned files: 31711
Infected files: 10
Data scanned: 16859.29 MB
Data read: 14244.41 MB (ratio 1.18:1)
Time: 4579.593 sec (76 m 19 s)

The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:
C:\Program Files\Outlook Express\setup50.exe: [Win.Trojan.Barys-43] FALSE POSITIVE FOUND
C:\WINDOWS\system32\dllcache\setup50.exe: [Win.Trojan.Barys-43] FALSE POSITIVE FOUND
Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at http://www.clamav.net/sendvirus/

--------------------------------------
Completed
--------------------------------------


detected by ClamWin but not by ClamAV

Aavm4h.dll
https://www.virustotal.com/file/1c3637fbe46d25cc54c31a07ff59f5753de083e8b780980ccc52245fdb108fe9/analysis/
https://www.metascan-online.com/en/scanresult/file/3b32e0600e274a88bbad49fb0f48b391

setup50.exe
https://www.virustotal.com/file/3f2d885c2be50b1a1cf4d23204fc11141c8b74c749643e8281f9e65aefbb3c94/analysis/1357242339/
https://www.metascan-online.com/en/scanresult/file/faade2cb9c864b418d2b9cd947e404eb

kemNT-7.4.zip
https://www.virustotal.com/file/db216f8d1e4cca7ccbda34a16a4cb8d5c79397b5ccd5b9fbe266f7844f3d3b5a/analysis/
Metascan has cut me off due to 5 files in archive during a certain time period. I don't like to use Jotti for a ClamWin scan because they have PUA enabled.


detected by ClamWin and ClamAV - will submit as FPs as permitted.

AavmRpch.dll
aswCmnIS.dll
aswProperty.dll
aswWebRepIE.dll
aswFsBlk.sys
R218148.exe
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
I submitted some false positives in the System32 folder yesterday, and I will submit more from the Winsxs folder today. The Sourcefire people can not work on Clam all the time, but they told me they will correct the false positives as soon as possible. If Clam AV detects it, they will work it.

I don't know what to do about the false positives that are not detected by Clam. At present, make sure your ClamWin signature database is current and that you are using the current verson .97.6 of ClamWin. I'm glad the ClamWin developers instituted that false positive protection! I thought it was only on digitally-signed Microsoft files, but I saw some false positives on unsigned files.

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Hello, Bob. Thank you for the information.

I'm wondering if perhaps Clam has found some issue though, because the file d3d9.dll I reported yesterday is no longer detected by ClamWin, and remains undetected by ClamAV:

https://www.virustotal.com/file/f1abf07cc45f9c013b9f53e64820ecb12ac9b1e681b9a1703e30a0637e7d9bb6/analysis/1357255678/
https://www.metascan-online.com/en/scanresult/file/be7e47ce4b03491389ea9e5e4d784ba4

My only theory at this point is a possible incompatibility between the older, handmade definitions (or the cumulative database) and the new automated ones. To test my theory, I've deleted the contents of the db folder of a ClamWin Portable installation on a flash drive, and rebuilt the database via a manual update. I'm scanning my system drive now and will report any positive conclusions.

As ever,
Lipper
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
I found that file on my computer, got a hash and searched for it on the Clam AV submission. The file was given to Clam by Virus Total, but there was no detection on Virus Total by any AV, including Clam. ClamWin does not detect it on my computer. I suppose the false positive could have been fixed, but the submission I saw was not indicated as a false positive.

Alain Zidouemba at Sourcefire told me the false positives are not related to the automated signatures. I think he is right because we have had the automated sigs now since early December, and I have only seen this rash of false positives during the last week or so.

Usually when there is a detection by ClamWin and not by Clam AV, it is because a new version of Clam just came out with new functionality and ClamWin has not been upgraded yet. This can go either way--a file could be detected by one and not by the other. I do not think this is the case here--there has been no new version. There is a figure indicating functionality in the About ClamWin screen, by the main database number of signatures. It is currently set at 54. Now that I mention it, I may have seen some sigs recently that were something besides 54, and it would probably be set higher, never lower. I wonder if some of the Clam sigmakers could be making sigs with new functionality already--perhaps in anticipation of a new version. Or... perhaps some new code has already been incorporated at Clam. As I said, detection could go either way. There are several new sigmakers at Sourcefire that I noticed have done some sigs. There does seem to be some sort of pattern in the sigs--most of them seem to be Trojan.Agents.

In any case, ClamWin users are protected from a false quarantine, so let's see how it goes for a few more days. Let me know if you find anything.

I'm glad to see you posting again!

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Thanks again, Bob. Yes, I'll let you know if I find something. Smile

As ever,
Lipper
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
I just did a scan of my C:\ drive without any false positives. I have been submitting several a day now for a while. It looks like the recent rash of falsies has been fixed.

Keep submitting those false positives and undetected viruses to Clam. They have also asked experienced users to prepare signatures and paste them in the comments section of the virus submission form. Clam will check the signatures and give the sugbmitters credit in the eail accompaning the signatures when published. Clam will worry about any false positives!

As you know, most of the Clam signatures are automated now--I hope it is a precursor to putting Clam AV (and maybe ClamWin) into the Cloud.

Regards,
View user's profileSend private message
false positive rejected by report system...
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic