Hello,

I'm getting persistent false positive reports on 2 servers and a PC since 3rd of April. All have been submitted to Virus Total, for all files only the ClamAV scanner reports a virus. Which makes me assume these are false.

I've reported these as false positives when they popped up. It's been near a week, but the updated definitions still report these as viruses. Is there anything I can do besides whitelisting them?


Reported instances:
1:
C:\Program Files\Bonjour\mDNSResponder.exe: Win.Trojan.Agent-263533 FOUND
Unloading program C:\Program Files\Bonjour\mDNSResponder.exe from memory
C:\Program Files\3com\Connection Assistant\drivers\3C90x\Source\TDInstNT.exe: Win.Trojan.4112211 FOUND
C:\Program Files\Bonjour\mDNSResponder.exe: Win.Trojan.Agent-263533 FOUND


2:
C:\Program Files\3com\Connection Assistant\drivers\3C90x\Source\TDInstNT.exe: Win.Trojan.4112211 FOUND
C:\Program Files\Bonjour\mDNSResponder.exe: Win.Trojan.Agent-263533 FOUND
(no longer unloaded from memory)


3:
C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\compluslm.dll: Win.Trojan.Autorun-1786 FOUND
C:\Windows\Installer\9544e1.msi: Win.Trojan.Autorun-1786 FOUND


4:
C:\Program Files\3com\Connection Assistant\drivers\3C90x\Source\TDInstNT.exe: Win.Trojan.4112211 FOUND
C:\Program Files\Bonjour\mDNSResponder.exe: Win.Trojan.Agent-263533 FOUND

No, whitelisting is the only thing you can do. The virus signatures from Clam AV are now mostly automated, with a few manual signatures prepared occasionally as someone from Sourcefire has time. It also appears that only one person regularly addresses false positives and that is also done occasionally. I have been submitting false positives on signed Windows system files almost every night. After 5 days I have been resubmitting them. I suggest that you do the same.

Regards,

Thanks for this info GuitarBob.

"are now automated", now as in during a break, or is this the way it will be in the forseeable future?

Cheers

I think automation is the only way to go with the volumne of malware around now. At present, Sourcefire only automates the Windows PE file signatures. Other file types like javascript, html, etc. still need manual signatures. With limited time to work on manual signatures, this leaves a gap, but hopefully they will be automated at some point. Most malware is still in PE files, so this gives good (not great) coverage.

With all the various projects that Sourcefire has going in its security business, however, Clam AV (and ClamWin by default) is on the back burner. You will recall that Sourcefire has asked for knowledgeable users to prepare their own signatures and submit them via pasting in the comments section of the Clam AV file submission form.

Regards,

I assume more effort is poured into initiatives like Immunet, that also employ the Clam definitions. Do you know if those products handle the false positives better?

We specifically look for low footprint scanners that report only and take no action. They are only used on servers and broadcast PC's, we can't have those lock down on a false positive - even a real threat should only be flagged and reported, as it's usually better to allow the PC to play a live broadcast, then have it lock up because of a scanner. We'll clean manually afterwards.

ClamWin used to do a great job for us. With all these FP's, it's become a bit too user-intensive for our fully automated backend. It happens with almost every Adobe update, now with these files mentioned in my OP: these haven't even been changed in quite some time.

I'd help with signatures if I was knowledgeable, but I'm afraid my knowledge lacks quite a bit in that part.

I suggest that we just continue to submit the false positives to Clam as we get them.

I don't know much about Immunet. I have tried it several times on my personal computer but each time I have quickly uninstalled it because it has some scripts that don't work on my machine--the error handling is terrible and has not been improved for over a couple of years now. I think it only uses the Clam AV code on the local machine. Most of the Cloud AVs have some sort of local virus database in case the Cloud goes down. I prefer a local database anyway--too much can go on in the Cloud that is beyond my control.

You can get a MD5 hash signature for just about any infected file except HTML files. Clam recommends other types of signatures, but I think an MD5 hash is just as good as any other sig. It will only detect that one file, but malware is changed so often now that doesn't matter. The AVs can not unpack/unobfuscate malware files because of custom packing and obfuscation done by the malware writers. Most of the automated AV signatures use some kind of hash, but for some reason, Clam uses a PE file sectional signature--a hash would prevent false positives because it is only good on that one file.

Here is an MD5 sig format: MD5 hash:filesize:Platform.MalwareType.MalwareName (file size is in bytes--no commas or rounding).

Example:5d1e74b7b3c054550be4aae9c638e283:572056:Win.Trojan.Zbot
Put the sig in a Notepad text file and name it: something.hdb (I use Sigfile.hdb on my machine). Paste the sig in the Comments section of the Clam submission form. Drop the sig on your machine(s) a week or so after you submit it to Clam.

You can actually get an unofficial sig for a false positive with an MD5 hash using this format:
MD5hash:filesize:SID#_filenamenoextn (SID# is Clam's submission ID, the underscore is a separator, and do not use an extension after the filename). You can probably use a common number for the SID on your network--like 999999, but Clam will have to use its SID if you submit the false positive signature to them. Put the sig in a Notepad text file and name it: something.fp. I use Falsepositive.fp on my machine. Drop the sig on your machine(s) a couple of weeks or so after you submit it to Clam.

Example: 8fb6c6e66968ccad84ade2df9fea3a9a:18330984:7728603_excel

One caveat: the MD5 false positive signature described above only works on signatures that are in the daily database. If a false positive is in the main database, Clam AV must take care of correcting it.

Regards,