ClamWin Free Antivirus
Support and Discussion Forums
 Goto page 1, 2, 3, 4, 5, 6, 7  Next
 Sudden malware or false positives?
davebit

 Joined: 18 Jan 2016 Posts: 28 Location: America
 Posted: Mon Jan 18, 2016 2:44 pm
ClamWin today reported a bunch of malware FOUND while previously had not, and most of these look like normal programs from trusted sources.

I'll look through each one later today but it could take me hours; can someone advise?

C:\Users\Dave\Desktop\ClamScanLog.txt
00903: C:\HP Universal Print Driver\pcl6-x64-6.0.0.18849\hpcu175u.cab: Win.Adware.Browsefox-12346 FOUND
00905: C:\Program Files\Android\Android Studio\lib\libpty\win\x86\libwinpty.dll: Win.Adware.Browsefox-12535 FOUND
00906: C:\Program Files\Android\Android Studio\lib\libpty\win\x86\winpty-agent.exe: Win.Adware.Browsefox-12535 FOUND
00907: C:\Program Files\Android\Android Studio\lib\libpty\win\xp\libwinpty.dll: Win.Adware.Browsefox-12535 FOUND
00908: C:\Program Files\Android\Android Studio\lib\libpty\win\xp\winpty-agent.exe: Win.Adware.Browsefox-12535 FOUND
00910: C:\Program Files (x86)\Agilo\uninstall.exe: Win.Adware.Agent-59030 FOUND
00911: C:\Program Files (x86)\Arora\uninst.exe: Win.Adware.Agent-59032 FOUND
00912: C:\Program Files (x86)\Common Files\Apple\Apple Application Support\JavaScriptCore.dll: Win.Adware.Browsefox-12945 FOUND
00913: C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit.dll: Win.Adware.Browsefox-12823 FOUND
00914: C:\Program Files (x86)\Common Files\Windows Live\.cache\80873ef81cf5d2009\WLXSuite.msi: Win.Adware.Browsefox-12994 FOUND
00915: C:\Program Files (x86)\Steam\amf\mcl-windesktop32.dll: Win.Trojan.Ramnit-8022 FOUND
00916: C:\Program Files (x86)\Steam\bin\gameoverlayui.dll: Win.Adware.Browsefox-12346 FOUND
00917: C:\Program Files (x86)\Steam\v8.dll: Win.Adware.Browsefox-12346 FOUND
05743: C:\Users\Dave\AppData\Local\Apps\2.0\28LMGM8X.YBW\2C067VN3.KV3\gith..tion_317444273a93ac29_0003.0000_328216539257acd4\GitHub.exe: Win.Adware.Browsefox-12346 FOUND
05764: C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\nt5nzi2w.default-1441286678254\cache2\entries\8FD400E0424753D70232AA3BCCF31FF28AE6BFB7: Win.Adware.Browsefox-12346 FOUND
05765: C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\nt5nzi2w.default-1441286678254\cache2\entries\B27FFE6E190C1C47E24D34AC86BFE555B1A83DAA: Win.Adware.Browsefox-12346 FOUND
05766: C:\Users\Dave\AppData\LocalLow\Sun\Java\JRERunOnce.exe: Win.Adware.Softpulse-215 FOUND
05768: C:\Users\Dave\Development\Android\Stencyl-full.exe: Win.Adware.Agent-59030 FOUND
05769: C:\Users\Dave\Development\fiddler4setup.exe: Win.Adware.Agent-59030 FOUND
05771: C:\Users\Dave\Development\PHP\Eclipse\PDT\Projects\dhinged\coreftplite.exe: Win.Adware.Agent-59030 FOUND
05772: C:\Users\Dave\Development\win-sshfs-0.0.1.5-setup.exe: Win.Adware.Agent-59030 FOUND
05773: C:\Users\Dave\Documents\Games\Duke_Nukem_3D-1.0.exe: Win.Adware.Agent-59030 FOUND
05775: C:\Users\Dave\Documents\Network\Wireshark-win64-2.0.0.exe: Win.Adware.Agent-59030 FOUND
05788: C:\Users\Dave\Music\audiograbber.zip: Win.Adware.Softpulse-215 FOUND
05789: C:\Users\Dave\Music\sc_serv2_win64-latest.exe: Win.Adware.Agent-59030 FOUND
05790: C:\Users\Dave\Music\shoutcast-dsp-2-3-5-windows.exe: Win.Adware.Agent-59030 FOUND
05792: C:\Windows\Installer\8e6d91.msi: Win.Adware.Browsefox-12824 FOUND
05793: C:\Windows\Installer\c28bb6.msi: Win.Adware.Browsefox-12994 FOUND
05805: C:\Windows\System32\DriverStore\FileRepository\hpcu175u.inf_amd64_neutral_3a55bc5c34503f8a\hpcdmc32.dll: Win.Adware.Browsefox-12346 FOUND
05808: C:\Windows\System32\spool\drivers\x64\PCC\hpcu175u.inf_amd64_neutral_3a55bc5c34503f8a.cab: Win.Adware.Browsefox-12346 FOUND
05970: C:\Windows\SysWOW64\hpcdmc32.dll: Win.Adware.Browsefox-12346 FOUND
GuitarBob

 Joined: 09 Jul 2006 Posts: 4336 Location: USA
 Posted: Mon Jan 18, 2016 4:29 pm
I think there is a new sigmaker at Clam AV, and he has a bit to learn. I have been getting some false positives on files I have had for some time. If you have had the file for some time, I wouldn't worry about it. It's a lot of work, but if you upload each file to Virus Total, Clam AV will probably note that it is a FP and will prepare a corrected signature.

If you are running another AV alongside ClamWin (and you should be), scan the files with it if you need some extra assurance.

Thanks for using ClamWin.

Regards,
jimimaseye

 Joined: 04 Jan 2014 Posts: 93
 Posted: Thu Jan 21, 2016 1:48 pm
 GuitarBob wrote: It's a lot of work, but if you upload each file to Virus Total, Clam AV will probably note that it is a FP and will prepare a corrected signature.

Dont hold your breath, though. I am sick and tired of getting similar false positives and doing the above (as well as direct reporting False Positive on ClamAV site) and it takes them ages to rectify (days or weeks). And then another couple of days pass and then some same programs get detected again with a NEW virus signature.

Its endless.

Some regular contenders (for me):
Skype
Hp printer drivers
McAfee Virus Removal programs
Lipper

 Joined: 31 Oct 2010 Posts: 123 Location: USA
 Posted: Thu Jan 21, 2016 8:19 pm
 jimimaseye wrote: Its endless. Some regular contenders (for me): Skype Hp printer drivers McAfee Virus Removal programs

Same here, but some of my repeaters are any program from portableapps.com or Karenware, and Free Download Manager.
GuitarBob

 Joined: 09 Jul 2006 Posts: 4336 Location: USA
 Posted: Thu Jan 21, 2016 8:40 pm
I saw recently that about 75% of malware is now what is considered PUP/PUA--potentially unwanted programs (mostly adware related), so watch that free stuff. Even some AVs are now starting to bundle it! Some of it comes with valid digital certificates.

Regards,
ROCKNROLLKID

 Joined: 23 Sep 2013 Posts: 562 Location: **UNKNOWN**
 Posted: Fri Jan 22, 2016 9:25 pm
You guys can also make your own fixes for false positives in ClamWin/ClamAV, if the team takes too long to fix them. You might want to exclude directories that malware don't normal hit, if that helps.
GuitarBob

 Joined: 09 Jul 2006 Posts: 4336 Location: USA
 Posted: Sat Jan 23, 2016 1:23 am
Below is the format for whitelisting Clam AV files that are falsely detected. Put all whitelisted files in a single Notepad or text file named Sigfile.fp and save it in the ClamWin db folder. For the Submission ID (SID), I use the 6 digit date. Put the filename preceeded by an underscore at the end without any extension. This works for any malware file. Using the file size in the signature minimizes the possibility of some malware with the same file name being ignored.

MD5hash:filesize:SIDnumber_filenamenoextn

Real Example:

Regards,
davebit

 Joined: 18 Jan 2016 Posts: 28 Location: America
 Posted: Sun Jan 24, 2016 4:46 pm
The problem is I can't tell if a file is a false positive unless I look up each "malware" identified by ClamWin:

Win.Trojan.Ramnit
Win.Trojan.Generickd

They all sound bad, but they might all just be fine (and there may be multiple instances of each with different appended numbers). The point is that ClamWin should be identifying for me what's actually bad, not me having to manually figure it out for myself every time.

I'm going to run ClamAV USB and every other anti-malware I can find, but I'm feeling like I can less rely on ClamWin now.
ROCKNROLLKID

 Joined: 23 Sep 2013 Posts: 562 Location: **UNKNOWN**
 Posted: Sun Jan 24, 2016 6:36 pm
Have you tried disabling PUP/PUA detections to see if these malware pieces go away? If they do, then you have your answer already. Remember that PUP/PUA are not malicious but rather a collection of unwanted software that may act in a form of similar to adware.
jimimaseye

 Joined: 04 Jan 2014 Posts: 93
 Posted: Mon Jan 25, 2016 9:43 am
 ROCKNROLLKID wrote: Have you tried disabling PUP/PUA detections to see if these malware pieces go away? .
Where do you do that? I have checked in Clamwin Preferences and cant see anything obvious.
davebit

 Joined: 18 Jan 2016 Posts: 28 Location: America
 Posted: Mon Jan 25, 2016 2:49 pm
As an aside, I just downloaded Duplicate File Finder, uploaded it to virustotal.com, and it found one of the things my ClamWin found: Win.Adware.Agent-59032

https://www.virustotal.com/en/file/d2e54df1e2714c2cf8a401c248a68245d72438a15659414b4080848af392bdf0/analysis/

An online search finds this very thread, but also "File has been identified by at least one AntiVirus on VirusTotal as malicious. Installs itself for autorun at Windows startup"

So maybe ClamWin is right and this actually is malicious, and there's more info here:

"Win.Adware.Agent is a specific detection used by Microsoft Security Essentials, Emsisoft Anti-Malware and other antivirus products to indicate and detect an adware program."

"Win.Adware.Agent is a program that contains adware, installs toolbars or will display pop-up advertisements on the computer." and "it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience."

What I can't tell yet is if I have the option to not install this when I run the software I downloaded.
GuitarBob

 Joined: 09 Jul 2006 Posts: 4336 Location: USA
 Posted: Mon Jan 25, 2016 3:34 pm
You never have this option for a lot of the stuff that is forced upon us by some installers. However, you certainly have the option to uninstall a program via Windows control panel if it is installed by normal Windows installation procedures. Bleeping Computer's adware cleaner might also help.

Regards,
jimimaseye

 Joined: 04 Jan 2014 Posts: 93
 Posted: Mon Jan 25, 2016 3:41 pm

In not sure you are making a valid point there Davebit.

What you have shown is

1, CLamAv detects Duplicate File Finder ("DFF") as malware
2, Virustotal reports that ClamAv has detected DFF as malware - this proves nothing, its just reporting the facts that Clam thinks its malware (1, above)
3, The malware that CLamAV has detected it as (Win.Adware.Agent) is dangerous - again, factual but not important if you dont actually have the malware

To me this looks like a classic case of False Positive. 55 different AV solutions and only Clam thinking its Malware (which in my personal opinion is the least trusted of them all for good reason....and this justifies it)
ROCKNROLLKID

 Joined: 23 Sep 2013 Posts: 562 Location: **UNKNOWN**
 Posted: Mon Jan 25, 2016 4:50 pm
If you look at the description described on Virustotal by ClamAV, it says that ClamAV is detecting this as a PUA. As I said, these are more likely PUP/PUA detections. I do not believe the ClamAV team will fix any false positives related to PUP/PUA since they are optional.
jimimaseye

 Joined: 04 Jan 2014 Posts: 93
 Posted: Mon Jan 25, 2016 5:03 pm
 ROCKNROLLKID wrote: If you look at the description described on Virustotal by ClamAV, it says that ClamAV is detecting this as a PUA. As I said, these are more likely PUP/PUA detections. I do not believe the ClamAV team will fix any false positives related to PUP/PUA since they are optional.

An interesting point.

I have never actually looked at that page before against any of the previous 'false positives' on my genuine programs I have quoted above in previous posts. However, the pattern of 1/55 by Clam (on Virustotal) is the same as the others. And as I type those others have since been rectified (for the last 3 days it isnt detecting fp's).

So in the future, to prove or disprove whether they do 'fix' FP's against PUAs I shall take a closer look at that details page on Virustotal to see if my FP's are what clam thinks are genuine malwares or PUA's.
 Sudden malware or false positives?
 You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forum All times are GMT   Page 1 of 7   Goto page 1, 2, 3, 4, 5, 6, 7  Next

 Select a forum Support----------------Virus ScannerVirus Database UpdatesEmail ScanningUser Guides General Discussions----------------General Suggestions/Questions Website----------------Website Translations Development----------------Feature RequestsTranslations