ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
ClamWIN didn't catch virus files that CalmAV did
ebohatch


Joined: 08 Mar 2016
Posts: 4
Location: Tennessee
Reply with quote
I have a website and my host used CalmAV and detected 11 files with infected code. I downloaded the website to my Win 10 desktop (I run Xampp on it) and scanned the directory of this site. ClamWIN did not flag ANY infections.

Am I missing something?
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Hello ebohatch.

Did you make sure that both ClamWin and ClamAV are using the most up-to-date signatures? If not, please update both of them are run a scan again and then report back here.

Thank you for using ClamAV and ClamWin.
View user's profileSend private message
ebohatch


Joined: 08 Mar 2016
Posts: 4
Location: Tennessee
Reply with quote
My web hosting runs ClamAV, I assume they are running the latest (they ran it yesterday morning and found numerous infections).
On my desktop system ClamWin just updated its DB.
I am running ClamWin 0.99 (uploaded and installed yesterday) the About ClamWin lists the following:
ClamAV 0.99
Protecting from 4298780 Viruses
Virus DB Version: (main: 55; daily:21455)
Updated 16:37 08 Mar 2016


I just ran this against the website folders with KNOWN infections and it stated 0 infections found.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4341
Location: USA
Reply with quote
Perhaps the Clam AV detections were false positives that were later corrected by signature. Sometimes Clam AV gets a false positive on a file in the Windows folder but ClamWin has some protection against this. See if you can update a couple of those known infections to Virus Total and see what the AVs there say--especially Clam AV.

I secretly suspect there is some Clam AV signature detection capability that is not in ClamWin, but so far we haven't proven anything.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Even if that was the case, Bob, ClamWin would have still detected them and marked them as false positive. Even if they are just false positive, this still proves that there are missing functionality in ClamWin.
View user's profileSend private message
ebohatch


Joined: 08 Mar 2016
Posts: 4
Location: Tennessee
Reply with quote
I just went to Virus Total and had them scan an infected file. They did not detect anything. BUT IT IS DEFINITELY INFECTED. I can send you the infected script and you can evaluate it.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4341
Location: USA
Reply with quote
RRK: Perhaps ClamWin processed a corrected update after the Clam AV detections were first made. Nothing would be detected then.

EBO: send a zipped file containing the malware (use password: infected) to rscrogg@gmail.com, and I will look at it. Usually, if something is infected, at least one of the AVs on Virus Total should detect it--unless it is very new. The older it is, the more AVs should detect it. Of course, most AVs do a better job at detecting Windows PE file malware than they do the other stuff--JS, Office, HTML, etc..

Regards,
View user's profileSend private message
ebohatch


Joined: 08 Mar 2016
Posts: 4
Location: Tennessee
Reply with quote
Sent you the zipped file. I just re-ran the script at Virus Total, mis-read how it works. There are now 3 sites that have flagged it.
But ClamWin still doesn't flag it.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4341
Location: USA
Reply with quote
Yes, I sent you an email with my results. Clam AV doesn't detect it. Dr. Web, Ikarus, and Microsoft detect it. ClamWin doesn't detect it because Clam AV doesn't detect it--appears there is no Clam AV signature for it yet. It appears to be a new file. Most AVs don't do well at detecting PHP malware. I'm sure more AVs will start detecting it in a little while. You can send it to Clam AV maybe to speed things up.

Regards,
View user's profileSend private message
ClamWIN didn't catch virus files that CalmAV did
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic