ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Not finding data on these supposed trojans...
davebit


Joined: 18 Jan 2016
Posts: 46
Location: America
Reply with quote
Scan the other day quarantined these files... but I'm not finding info on the specified trojans and I don't know if I actually need these files (if they're false positives):

C:\ProgramData\Adobe\ARM\Reader_18.009.20050\AcroRdrDCUpd1801120036.msp: Win.Trojan.Fb0906a-6855739-0 FOUND
C:\Users\All Users\Adobe\ARM\Reader_18.009.20050\AcroRdrDCUpd1801120036.msp: Win.Trojan.Fb0906a-6855739-0 FOUND

One of them was not in the quarantined folder even though its AcroRdrDCUpd1801120036.msp.infected.txt was...

I'm not sure what to think of this. I want ClamWin to quarantine malware but if they're false positives and something needs them... right now I can't even tell that.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4513
Location: USA
Reply with quote
Were the files quarantined by ClamWin or by Clam Sentinel?

If I see anything quarantined or mentioned as being quarantined, I always check the file on Virus Total. If the file is infected, I delete it from quarantine. If it is a false positive detection, I whitelist it in ClamWin/Clam Sentinel (you don't have to whitelist Clam Sentinel heuristic detections--no virus name- in ClamWin) and restore the file. I send a copy of all infected files to Clam AV. Clam Av signatures get more false positives than most AVs.

Once in a while I find a text file in quarantine but no actual file. I suppose that ClamWin/Clam Sentinel couldn't control the file for some reason (file open or some other reason).

As for info on malware, do an online search on the malware name/MD5 hash (from Virus Total or your own hasher).

Regards,
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 46
Location: America
Reply with quote
I'm not sure what you mean by Clam Sentinal... I installed the latest ClamWin, I keep it up to date, and it runs a scheduled scan. The results are from its scan log file.

The files are back so I uploaded them to VirusTotal scan from C:\ProgramData\Adobe\ARM\Reader_18.009.20050\AcroRdrDCUpd1801120036.msp - and it says clean but with a split community rating and this comment:

https://www.virustotal.com/#/file/e7bf7c0409f4deb645abae632a925da59493bb8d45f2c861641e87be17992d0b/community

So you tell me whether ClamWin is right that I have a trojan or that it's just a false positive...

C:\Users\All Users\Adobe\ARM\Reader_18.009.20050\AcroRdrDCUpd1801120036.msp says the same thing.

What the same file and folders are doing in C:\ProgramData or C:\Users\All Users, I don't know, but I merely installed Adobe reader as normal (yes I know it was from the verified site), even through full unininstalls and reinstalls or just reinstalls (rebooting each time of course)... maybe you know something about Adobe I don't?

Anyway, I don't want to whitelist something that ClamWin might be right about, partly because of the strange redundancy, and I may just fully uninstall Adobe Reader and delete all of its folders... but the most flags I've gotten from ClamWin are Adobe files (usually Reader), so maybe you can tell me something about this?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4513
Location: USA
Reply with quote
Clam Sentinel is a separate project that adds a real-time front end to ClamWin. The project has been discontinued, and Clam sentinel is now out-of-date.

If Clam AV does not detect a file on Virus Total but ClamWin does detect the file on your local machine, this is a false positive--probably caused by the ClamWin source code being out of date with the latest Clam AV code. I have seen this a few times lately. All we can do is whitelist the file in ClamWin. I have told the developers about this, but they have not yet updated ClamWin.

I just ignore those community comments on Virus Total--they are sometimes seeded by virus makers trying to make their file look benign.

If Clam AV is the only Av detecting a file on Virus total as malicious, that is a false positive also.

Perhaps that Adobe file that was not quarantined by ClamWin was in use on your machine and ClamWin could not do anything with it.

Please use a real-time Av with ClamWin as your primary Av. The Clam Av engine used by ClamWin is primarily designed for Linux email servers, and they do not get the depth/breadth of malicious files most Windows users might encounter. Keep ClamWin as a backup scanner. If the ClamWin developers do not get on the ball, ClamWin will soon be out-of-date, if it is not already so.

Regards,
View user's profileSend private message
Not finding data on these supposed trojans...
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic