ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False Positives
thebrain


Joined: 04 Dec 2014
Posts: 2
Reply with quote
Getting report from scheduled scan of a virus, but each time it's one of ClamWin's own temp files.

C:\DOCUME~1\bhenson\LOCALS~1\Temp\clamav-226b2afbe646a709a1b9848ce6d6fe05.00001724.clamtmp: W32.Virut.Gen.D-148 FOUND

I tried adding *.clamtmp to the exclude list but it still complains about these files each time.

Running ClamWin 98.7
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Strange!

I don't know if it will help but try excluding the full location:

C:\DOCUME~1\bhenson\LOCALS~1\Temp\*.clamtmp

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Would be best to upload the file to virustotal. Then submit the file and virustotal report to ClamAV false positive support here: http://www.clamav.net/contact

However, I think some of these false positives are happening because of incompatibility with the YARA and Snort rules that are being introduced in .99. The YARA and Snort rules do not work with .98.7 and under.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Virut is an old virus now, and I'm sure the authors have moved on. The Clam AV Virut signatures were subject to many false positives.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
That looks like a generic signature. I didn't know ClamAV was writing generic signatures. Would explain why I haven't seen any new bytecode signatures in a long time now. Generic signatures can last weeks to months before it would need to be updated. Generic signatures can detect families of malware.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
Problem with the generic stuff is that it should be really tested extensively. Clam AV does not/did not have many Windows system/app files on its false positive farm, so the Virut sigs always zapped valid Windows files (Office, some system files) that had been changed since the last Virus sig. Clam was always so glad to get the latest Virut sig that they never bothered to change their very simple Virut signature process. There's more to a good generic signature than wildcards! Every Clam Sentinel heuristic signature is a generic signature which can detect a very broad category of malware.

Regards
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Well I don't know how true that is today, but at least ClamWin has a false positive safe guard for valid digitally signed Microsoft files.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4360
Location: USA
Reply with quote
I haven't seen it yet (in ClamWin's v.98.7) as of about a week ago. ClamWin had this protection years ago. Clam Sentinel starting using digital sigs in its detection process when Clam AV was scared of them back in 2012.

There's more to a good generic sig than a few wildcards. That is 2008 technology.

Regards,
View user's profileSend private message
False Positives
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic