ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Never gotten a virus in this folder, Afraid to delete etc
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND
C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND


Is this a false positive? Thanks everyone
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
It very well could be a false positive. The Clam AV scan engine/signatures we use are designed primarily for Linux email servers, where false positives on Windows files are not even considered. I have only seen 1 virus in the WinSxS folder in the 5 years I was at Clam AV. What does your other antivirus program say about this file? You should be using a real-time virus along with ClamWin, using ClamWin for a backup scanner.

Best way to tell is to upload the file to Virus Total at https://www.virustotal.com/#/home/upload on the web and see what about 60 other AVs say about it. I like to see at least 2 of these AVs detect something before I believe it: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
Wow thanks so much. Here is what the upload said for the other sites: basically only clamwin calls it a virus.

[/img]
View user's profileSend private message
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
so if clamwin is the only one finding it, do I just ignore?
View user's profileSend private message
aggravated


Joined: 08 Oct 2017
Posts: 4
Reply with quote
I am quite sure they are false positives. I just had the same two files detected by Immunet, which uses Clam. You can't readily even upload these files to VirusTotal, since Windows does its best to deny access to them. There are ways around that, but I can't be bothered. I'm certain enough that they are FPs to take my chances.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
If you have a false positive, you shouldn't ignore it. Since you scanned it on Virus Total and Clam AV was the only AV to detect it, Virus Total will tell Clam AV about it so they can correct their signature. Clam AV will eventually correct it (usually), but it will still be falsely detected on your computer. Here's what to do:

If the program was falsely quarantined by ClamWin, you need to restore it with the QRestore program in the ClamWin\bin directory. After restoring it, you need to exclude it from future scans by using Preferences, Filters, Exclude Matching filenames. Check the ClamWin Help file for information about restoring a file. Get back to us here if you need additional help restoring. You can occasionally check the file with Virus Total again to see when/if Clam AV has corrected their signature and delete the excluded file from ClamWin's Exclude Matching Filenames when it does.

Regards,
View user's profileSend private message
aggravated


Joined: 08 Oct 2017
Posts: 4
Reply with quote
I'm using Immunet, which uses (in part) ClamAV. I've submitted both files to Immunet and uploaded them each to VirusTotal as well:

https://www.virustotal.com/en/file/ffeec8af2fcb27b713837c744057a6e0304529b4ea80427df2bd2414b6bd6309/analysis/1507511907/
https://www.virustotal.com/en/file/de42506fa988cbfd7e8184b875eb54160cd8043f72af94d59c1857493812154b/analysis/1507511913/

As a workaround, I excluded the entire "C:\Windows\WinSxS\Temp" and "C:\Windows\WinSxS\FileMaps" folders from Immunet. Overkill, yes, but I'm not a fan of FPs.
View user's profileSend private message
darthkringle


Joined: 28 Feb 2010
Posts: 5
Reply with quote
Yep I uploaded and submitted directly to ClamWin for their False Positives.
View user's profileSend private message
Re: Never gotten a virus in this folder, Afraid to delete et
antec20


Joined: 20 Oct 2017
Posts: 4
Reply with quote
darthkringle wrote:
C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND
C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND


Is this a false positive? Thanks everyone



i too have windows 10.. i have win 10 pro 64-bit.

these two files i'm able to upload to virustotal.com and the only product finding this is Clamav engine.

i run eset smart security paid program
and malwarebytes premium paid program

since i can't email clamwin support directly i have to rely on these forums.

i was trying to email clamwin support directly to let them know it could be a false positive and to please correct it.
View user's profileSend private message
Re: Never gotten a virus in this folder, Afraid to delete et
antec20


Joined: 20 Oct 2017
Posts: 4
Reply with quote
[quote="antec20"]
darthkringle wrote:
C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND
C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND


Is this a false positive? Thanks everyone


antec20 wrote:

i too have windows 10.. i have win 10 pro 64-bit.

antec20 added some more info:

forgot to mention this is using retail microsoft media creation tool to burn .iso to dvd-r disc.
and also, the retail win 10 pro 64-bit usb flash drive

this is using both the media creation tool multiple times to create new dvd-r discs and reformat/reinstall win 10 pro 64-bit retail

and just using the retail usb flash drive win 10 pro 64-bit multiple times.


i'd hate to think that microsoft media creation tool and retail usb flash drive win 10 pro 64bit carried a trojan of some kind.
anyways i hope this gets cleared up soon.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
If Clam AV is the only scanner on Virus Total (or any other online scanner), it is about a 99.9% certainty that it is a false positive. Virus Total will inform Clam of the false positive, but it might speed things up at Clam AV if you report it also and reference the Virus Total scan.

I like to see at least 2 of these AVs detect malware in a file before I believe it: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos. They are all good AVs with a large user base, and they use their own scan engine (not an engine licensed from some other AV company). Keep in mind, however, that new malware might not be detected for a few days.

Regards,
View user's profileSend private message
aggravated


Joined: 08 Oct 2017
Posts: 4
Reply with quote
I just checked both files anew on VirusTotal, and both are still being incorrectly detected as Win.Trojan.Emotet-6340301-0. But I guess it has only been two weeks.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4266
Location: USA
Reply with quote
Since ClamWin uses the Clam AV scan engine and virus signatures, you should send them all false positives at http://www.clamav.net/contact on the web. From this page you can upload a virus file that is undetected or a file that is falsely detected--click the correct option. It may take Clam AV a while to correct a false positive. Cisco now owns Clam AV, and since Clam AV is a free product, no one works on it full-time for signature preparation or signature correction.

Until Clam AV corrects a false positive, you can whitelist/exclude a file from detection by ClamWin via menu Preferences, Filters, Exclude Matching Filenames. Click the box, write in the filename and extension (like notepad.ext) or the entire directory listing (like C:\Windows\System32\notepad.exe), and click okay.

Regards,
View user's profileSend private message
antec20


Joined: 20 Oct 2017
Posts: 4
Reply with quote
GuitarBob wrote:
If Clam AV is the only scanner on Virus Total (or any other online scanner), it is about a 99.9% certainty that it is a false positive. Virus Total will inform Clam of the false positive, but it might speed things up at Clam AV if you report it also and reference the Virus Total scan.

I like to see at least 2 of these AVs detect malware in a file before I believe it: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos. They are all good AVs with a large user base, and they use their own scan engine (not an engine licensed from some other AV company). Keep in mind, however, that new malware might not be detected for a few days.

Regards,


i installed windows update 1709 or fall creators update for windows 10 64-bit on 2 pc's. the two files aren't detected on update 1709 anymore only windows.old [creator's update or update 1703]. so when a person has determined they no longer need windows.old [creator's update or update 1703] and get rid of it via disk cleanup is one way; then, clamwin will no long find the win.trojan.emotet with just the windows 10 fall creator's update installed.

just some fyi for everyone.
View user's profileSend private message
aggravated


Joined: 08 Oct 2017
Posts: 4
Reply with quote
I had it detect two copies of user32.dll as the Fall Creators Update (1709) was being downloaded (FPs, of course, as usual). That's when I decided to uninstall it. Not the update; the AV.
View user's profileSend private message
Never gotten a virus in this folder, Afraid to delete etc
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic