ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
This topic is locked: you cannot edit posts or make replies.
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Feel free to share your results. Remember, that Trojan.agent is just a name and could mean different things with each AV. Also, I think ClamAV's PUP/PUA is a little overzealous compared to other AV's, too.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
A look at the submission date on Virus Total will help ID a false positive. If it was a week ago, then more than 1 AV should detect it. If it was several weeks ago, then several AVs should detect it.

When I was working malware signatures for Clam AV, I liked to see at least 2 of these AVs detect something: Avira, Bitdefender, Nod32, Kaspersky, and Sophos. All of them use their own scan engine, have a number of commercial users, and have a world-wide staff of malware analysts.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
Another week, another list of false positives, the usual suspects declared dodgy but as its another week all yet again with different Virus names. All of these are within 'installation' sets of genuine programs. So I tried the suggestion above.

\hMailserver\hMailServer-5.4.2-B1964.exe: Win.Adware.Eorezo-528 FOUND
\hMailserver\hMailServer-5.6.4-B2283.exe: Win.Adware.Eorezo-528 FOUND
\HP CM1410 Printer Driver\CM1410Series_FN_Full_Solution\Setup\Core\Marketsplash\Marketsplash-setup.msi: Win.Trojan.Agent-971646 FOUND
\McAfee\MCPR.exe: Win.Trojan.Ramnit-8178 FOUND (this is a standalone McAfee Virus removal program)
\SpamAssassin\SpamAssassinForWindows-Setup34030.exe: Win.Trojan.Application-1470 FOUND

And so, as discussed, I set about checking them with Virustotal first to lookup up the TYPE of virus clam thinks these are (PUP's, PUA's or other). Waste of time. Virustotal reports 0/55...including Clam! (And yes, that was after a 'reanalyse').

example:
https://www.virustotal.com/en/file/527a9fb97be72980cd148f76dc1d6d31f811d75e36643b1be73e5a5a7052f678/analysis/1454235999/ ( - this is MarketSplash.msi)
https://www.virustotal.com/en/file/2204752c635e00b50a0e557597a67852e8e8f4388aa43884c68a98ae76f4fb29/analysis/1454237428/ (- this is SpamassassinForWindows)
(all five had the same results)

So I ran a Virus Update on my system to ensure the latest definitions are in (despite them being only 8 hours since the last download) and then scanned the files again. And still my Clam detects them.

The problem being here that whatever Virustotal uses to identify the results of a Clam detection (contrary to all other AV solutions), it doesnt reflect the up-to-date situation with the current definition releases. And consequently I cant get Virustotal to 'see' that Clam has got it wrong (nor look at what type it thinks it is), and therefore the theoretical practice of using Virustotal to get to the Clam definition writers to remove the FP is dead in the water.

So, what next? Well I have uploaded them using http://www.clamav.net/reports/fp to see if they get reverted.

This drive is scanned every night so we will see how responsive they are are removing FP's using this method alone.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Re: PUAs/PUPs: I don't know how Clam handles them now, but in the past you had to configure ClamWin to detect them via the command line, so unless you have done that, you are probably not detecting them with ClamWin. Many AVs still handle it like this--you have to configure the AV to detect PUA.

Some PUP/PUP will have a valid digital signature, and some AVs do not detect them because of this.

Best advice I can give is to look at the submission date on Virus Total--let that be your guide. The older something is, the more AVs should detect it. However...much of the malware is short-run and will perhaps not be detected by many AVs. Look at the AVs detecting in that case--you want to see something detected by a quality AV with global reach.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
In fact I would be surprised that PUA's are being detected too. In fact I just checked my Clamd log, and at startup it says:
Quote:
Thu Jan 28 12:44:09 2016 -> +++ Started at Thu Jan 28 12:44:09 2016
Thu Jan 28 12:44:09 2016 -> clamd daemon 0.98.7 (OS: win32, ARCH: i386, CPU: i386)
Thu Jan 28 12:44:09 2016 -> Log file size limited to 1048576 bytes.
Thu Jan 28 12:44:09 2016 -> Reading databases from C:\ProgramData\.clamwin\db
Thu Jan 28 12:44:09 2016 -> Not loading PUA signatures.
Thu Jan 28 12:44:09 2016 -> Bytecode: Security mode set to "TrustSigned".
Thu Jan 28 12:44:24 2016 -> Loaded 4348951 signatures.
Thu Jan 28 12:44:25 2016 -> TCP: Bound to []:3310
Thu Jan 28 12:44:25 2016 -> TCP: Setting connection queue length to 200
Thu Jan 28 12:44:25 2016 -> TCP: Bound to []:3310
Thu Jan 28 12:44:25 2016 -> TCP: Setting connection queue length to 200
Thu Jan 28 12:44:25 2016 -> Limits: Global size limit set to 104857600 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: File size limit set to 26214400 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: Recursion level limit set to 16.
Thu Jan 28 12:44:25 2016 -> Limits: Files limit set to 10000.
Thu Jan 28 12:44:25 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Thu Jan 28 12:44:25 2016 -> Limits: MaxPartitions limit set to 50.
Thu Jan 28 12:44:25 2016 -> Limits: MaxIconsPE limit set to 100.
Thu Jan 28 12:44:25 2016 -> Archive support enabled.
Thu Jan 28 12:44:25 2016 -> Algorithmic detection enabled.
Thu Jan 28 12:44:25 2016 -> Portable Executable support enabled.
Thu Jan 28 12:44:25 2016 -> ELF support enabled.
Thu Jan 28 12:44:25 2016 -> Mail files support enabled.
Thu Jan 28 12:44:25 2016 -> OLE2 support enabled.
Thu Jan 28 12:44:25 2016 -> PDF support enabled.
Thu Jan 28 12:44:25 2016 -> SWF support enabled.
Thu Jan 28 12:44:25 2016 -> HTML support enabled.
Thu Jan 28 12:44:25 2016 -> Self checking every 600 seconds.


Further more, I have no idea how to tell CLAMWIN to detect PUA's (as you suggest it should, Guitarbob) so its definitely not doing it on my say so. So neither my Clamwin or CLamd service should be doing so.

So this sort of flies against what RNRK said earlier:
ROCKNROLLKID wrote:
If you look at the description described on Virustotal by ClamAV, it says that ClamAV is detecting this as a PUA. As I said, these are more likely PUP/PUA detections. I do not believe the ClamAV team will fix any false positives related to PUP/PUA since they are optional.


If Clamd isnt loading PUA signatures (as per the log), and Clamwin has not been told to do PUA detections, and Clamwin was detecting (a false positive) with a virus signature that the VT analysis says Clam is saying (that particular detection earlier) is a PUA, there is a definite inconsistency somewhere and something is not making sense or being true.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Alch should have made a GUI option to opt-out of PUP/PUA signatures when ClamAV added them to their database. It seems he did not. I ill suggest this to Alch on the next beta testing (it's the only time we can actually talk to him in person).
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4655
Location: USA
Reply with quote
Last Word I had on Clam AV PUAs was that they were not making them a default detection. There were just too many false positives on packers and installers--which can be used by both malware and goodware.

Here is the command line entry to put in the Advanced ClamWin tab to enable PUA detection: --detect-pua
That's 2 dashes followed by detect-pua.

I just can't see why anyone would want to detect Clam AV PUA, considering the poor PUA signatures they used to have. Maiybe tkheiy are better now. Anyway, let me know how this goes. PUAs are still around, so I think it will still work.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
GuitarBob wrote:
Last Word I had on Clam AV PUAs was that they were not making them a default detection. There were just too many false positives on packers and installers--which can be used by both malware and goodware.

That concurs with the general opinion above, where it is thought that no PUA detections are enabled. And seemingly for good reason. (Clam definitions dont need any more reasons to increase its potential of raising false positives. Rolling Eyes )
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
jimimaseye wrote:
Another week, another list of false positives, the usual suspects declared dodgy but as its another week all yet again with different Virus names. All of these are within 'installation' sets of genuine programs. So I tried the suggestion above.

\hMailserver\hMailServer-5.4.2-B1964.exe: Win.Adware.Eorezo-528 FOUND
\hMailserver\hMailServer-5.6.4-B2283.exe: Win.Adware.Eorezo-528 FOUND
\HP CM1410 Printer Driver\CM1410Series_FN_Full_Solution\Setup\Core\Marketsplash\Marketsplash-setup.msi: Win.Trojan.Agent-971646 FOUND
\McAfee\MCPR.exe: Win.Trojan.Ramnit-8178 FOUND (this is a standalone McAfee Virus removal program)
\SpamAssassin\SpamAssassinForWindows-Setup34030.exe: Win.Trojan.Application-1470 FOUND

And so, as discussed, I set about checking them with Virustotal first to lookup up the TYPE of virus clam thinks these are (PUP's, PUA's or other). Waste of time. Virustotal reports 0/55...including Clam! (And yes, that was after a 'reanalyse').

example:
https://www.virustotal.com/en/file/527a9fb97be72980cd148f76dc1d6d31f811d75e36643b1be73e5a5a7052f678/analysis/1454235999/ ( - this is MarketSplash.msi)
https://www.virustotal.com/en/file/2204752c635e00b50a0e557597a67852e8e8f4388aa43884c68a98ae76f4fb29/analysis/1454237428/ (- this is SpamassassinForWindows)
(all five had the same results)

So I ran a Virus Update on my system to ensure the latest definitions are in (despite them being only 8 hours since the last download) and then scanned the files again. And still my Clam detects them.

The problem being here that whatever Virustotal uses to identify the results of a Clam detection (contrary to all other AV solutions), it doesnt reflect the up-to-date situation with the current definition releases. And consequently I cant get Virustotal to 'see' that Clam has got it wrong (nor look at what type it thinks it is), and therefore the theoretical practice of using Virustotal to get to the Clam definition writers to remove the FP is dead in the water.

So, what next? Well I have uploaded them using http://www.clamav.net/reports/fp to see if they get reverted.

This drive is scanned every night so we will see how responsive they are are removing FP's using this method alone.

Ok, 2 days on and I checked Virustotal to see what it now thinks of one of the above files. I chose the SpamassassinForWindows installation. https://www.virustotal.com/en/file/2204752c635e00b50a0e557597a67852e8e8f4388aa43884c68a98ae76f4fb29/analysis/1454433757/

NOW Virustotal is saying that CLAMAV detects it as a Win.Trojan.Application-1470 (with defs dated 02-feb-2016/today) just as Clam detects over night. Note: VT does NOT say it is any kind of PUA.

I made a point of not sending the other file. Marketsplash.msi, for re-analysis so that we can now see if reporting to Virustotal really does make the difference. (If it does I expect this spamassassin program to be immunised and marketsplash to still be falsely detected; The idea being that if I dont reanalyse it, and therefore VT still has it on file as being clean, then it wont be fed back to Clam for rectifying). Or if it doesnt make a difference, and both files get their false positives rectified together, then it shows that simply reporting it via the ClamAV website is the only method they respond to....or not (as the case may be).
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
(Another night, another scan, and another additional False Positive: OpenOfficePortable\OpenOfficePortable.exe: Win.Trojan.Ramnit-8177 FOUND. And it seems that I am not the only one, someone else already told VT about it: https://www.virustotal.com/en/file/26ec327fbb3de17b4a0c2c0c5b768ffef2b861218f6e2bdb6c3499886bdd9787/analysis/)
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
That one was detected as a PUA, according to the detailed report. I would suggest for all future false positives to do one of the following:

1. Send the file along with the virustotal report to the ClamAV false positive team here: http://www.clamav.net/contact

2. Create a false positive file yourself by using Bob's whitelist instructions. Alternatively, and this might get a response from the ClamAV team much faster, you may send the false positive file to the ClamAV support team via the link above.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
Detected as a PUA it might be, but its was still wrong to do so (it isnt a PUA by anu of the descriptions given by Clam thensleves: http://www.clamav.net/documents/potentially-unwanted-applications-pua - it is purely EXE zip file of openoffice standalone/portable). It has already been reported to Clam as afalse posiutive and I expect it to be 'removed' as such in due course. The only question is when.

For the record, Im not reporting these here to vent off or rant about how shit Clam is for their false positives or lack of detection of real threats (Ive done that in other threads and earlier here, and have no doubts that these false positives are going to continue to happen. Of course I am already aware of how to immunise my files from FP's but that wouldnt allow correct analysis of the worthiness of this AV software so I choose not to.....for now). The point of me reporting these latest reports is to show a timeline on the actions and reactions of Clam in response to these so that we can see what is to be expected and maybe determine the best course of action (if there is a 'best' one). The idea is that it gives other readers some solidarity and perhaps something to consider when they read the reports. (I wont be doing every FP I encounter... because otherwise this forum would get full or I would get banned. Laughing )
View user's profileSend private message
Similar Results Here...
neo


Joined: 04 Feb 2016
Posts: 1
Reply with quote
I just wanted to say I am finding similar results in a few of my downloaded exe's.

c:\Users\Downloads\openvpn-install-2.3.8-I601-x86_64.exe: Win.Trojan.Ramnit-8178 FOUND
c:\Users\Downloads\winscp576setup.exe: Win.Trojan.Application-1470 FOUND
c:\Program Files\Common Files\LogiShrd\Unifying\UnifyingUnInstaller.exe: Win.Trojan.Agent-971646 FOUND
c:\Program Files\TAP-Windows\Uninstall.exe: Win.Trojan.Ramnit-8178 FOUND


I am not convinced they are false positives as they all target critical spying vectors.

Peace,
Neo
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
2 of those files were marked with the same infected name. The static signatures can't repeat the same name, otherwise it would cause a database issue. I am guessing that this is coming from some type of generic or bytecode signature.

I do not know all those files, but I do know that OpenVPN is a legit VPN client. It is open-source, too. I would suggest you send those files to virustotal to see if they are legit or not.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
jimimaseye wrote:
Another week, another list of false positives, the usual suspects declared dodgy but as its another week all yet again with different Virus names. All of these are within 'installation' sets of genuine programs. So I tried the suggestion above.

\hMailserver\hMailServer-5.4.2-B1964.exe: Win.Adware.Eorezo-528 FOUND
\hMailserver\hMailServer-5.6.4-B2283.exe: Win.Adware.Eorezo-528 FOUND
\HP CM1410 Printer Driver\CM1410Series_FN_Full_Solution\Setup\Core\Marketsplash\Marketsplash-setup.msi: Win.Trojan.Agent-971646 FOUND
\McAfee\MCPR.exe: Win.Trojan.Ramnit-8178 FOUND (this is a standalone McAfee Virus removal program)
\SpamAssassin\SpamAssassinForWindows-Setup34030.exe: Win.Trojan.Application-1470 FOUND

And so, as discussed, I set about checking them with Virustotal first to lookup up the TYPE of virus clam thinks these are (PUP's, PUA's or other). Waste of time. Virustotal reports 0/55...including Clam! (And yes, that was after a 'reanalyse').
.
.
.
So, what next? Well I have uploaded them using http://www.clamav.net/reports/fp to see if they get reverted.

This drive is scanned every night so we will see how responsive they are are removing FP's using this method alone.

UPDATE: 8 days later and they are all still being detected every night. I have re-uploaded them to ClamAV falsepositive report page.

Monitoring will continue...

(They really are sh1te, arent they. And there isnt even a place to vent my disapointment with them as they dont seem to offer an easily available forum).
View user's profileSend private message
Sudden malware or false positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 7  

  
  
 This topic is locked: you cannot edit posts or make replies.