ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Win.Trojan.Agent FOUND - Windows Preinstallation Environment
davehatpec


Joined: 01 Feb 2017
Posts: 6
Reply with quote
Not sure what this is, why it's returning FOUND for Trojans, or whether I should try to remove them or how exactly:

(edited from Notepad++)
Search "FOUND" (21 hits in 1 file)
Line 3: Line 15: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 4: Line 17: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\lp.cab: Win.Trojan.Agent-5596042-0 FOUND
Line 5: Line 19: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 6: Line 21: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 7: Line 23: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 10: Line 1565: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 11: Line 1567: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\lp.cab: Win.Trojan.Agent-5596042-0 FOUND
Line 12: Line 1569: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 13: Line 1571: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 14: Line 1573: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 17: Line 3115: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 18: Line 3117: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\lp.cab: Win.Trojan.Agent-5596042-0 FOUND
Line 19: Line 3119: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 20: Line 3121: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 21: Line 3123: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 24: Line 4698: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 25: Line 4700: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\lp.cab: Win.Trojan.Agent-5596042-0 FOUND
Line 26: Line 4702: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
Line 27: Line 4704: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\de-de\WinPE-WDS-Tools_de-de.cab: Win.Trojan.Agent-6163993-0 FOUND
Line 28: Line 4706: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\sv-se\WinPE-SRT_sv-se.cab: Win.Trojan.Agent-5592516-0 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
If you have more than a couple of detections for the same virus, it is very likely to be a false positive detection. Did ClamWin quarantine or remove the file(s) involved? ClamWin has some protection for false positive detections of important Windows files. If you still have the files, I suggest that you upload a couple of them (one at a time) to Virus Total and see what the 60 or so AVs there see a virus in them. If Clam AV (ClamWin uses the Clam AV scan engine/virus signatures) is the only AV detecting them, Virus Total will send the files to Clam AV so they can correct their false signatures. This might take a while though. You may be able to speed it up a little if you send the same files to Clam AV at http://www.clamav.net/contact on the web. Be sure to select the False Positive report option.

If the false detection(s) is a problem for you, you can exclude/whitelist the files (or their folder) in ClamWin's Tools, Preferences, Filters, Exclude Matching Fillenames option. Check the ClamWin Help, Manual menu.
Thanks for using ClamWin!

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
I have submitted some of these false positives to ClamAV at least twice in the last few months. I have given up on ClamAV fixing them and have just excluded the entire folder. Notice the date on one of my VirusTotal submissions: https://www.virustotal.com/#/file/be9009c54c478b87277a8d4d5b019821d8b017f86ab48b0e5cea4f02a76bb011/detection

Regards,
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
Thanks for the info, Lipper. I don't know what's wrong at Clam AV now. They are supposed to get a feed from Virus Total when they have a false positive to aid in correction, but they appear not to have anyone working on Clam AV at any time now. I see that they have not even updated their blog about their problem with updates from several weeks ago.

All we can do with ClamWin is exclude/whitelist the file/folder for false positives and check the file with Virus Total every week or so to see when/if Clam AV corrects their signature. I hope every ClamWin user who can is using a real-time AV for primary protection with ClamWin as backup only. I have stopped my scheduled scanning due to false positives.

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Greetings Bob, and thank you for your comments. Yes, it is a mystery why ClamAV hasn't yet addressed these false positives. In order to rule out a difference in scan engines between .99.1 and .99.2, I scanned my Win 7 partition from Linux with ClamAV .99.2 installed. There was no difference in detection.

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Clam AV has apparently started fixing these FPs. Scanning with DB 24147, I now only have two remaining FPs in the (Win 7) Windows Kits folder which are:

WinPE-SRT_sv-se.cab (amd64 folder)
https://www.virustotal.com/en/file/4798e5212f9fa950e9190d12fb4029fb47962ce77a83371745f20556886ded41/analysis/1513818034/

WinPE-SRT_sv-se.cab (x86 folder)
https://www.virustotal.com/en/file/17d7dff2f77230f06c46ccfdf1238b1b03da30aff112eae6e5bad895187f6918/analysis/1513817964/

If not corrected in one week, I will resubmit these last items.

Lipper
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
It might take Clam AV much longer to correct the remaining FPs, Lipper. I think they will get to it eventually--that folder is pretty important.

Merry XMAS to you!

Regards,
View user's profileSend private message
Lipper


Joined: 31 Oct 2010
Posts: 123
Location: USA
Reply with quote
Yes, you may be right. Thank you for the holiday greeting, and the same to you and yours. Smile

As ever,
Lipper
View user's profileSend private message
Win.Trojan.Agent FOUND - Windows Preinstallation Environment
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic