ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Virtual CloneDrive - only ClamWin detects malware?
davebit


Joined: 18 Jan 2016
Posts: 46
Location: America
Reply with quote
https://www.virustotal.com/#/file/cd56643dc3a657ad83b8edbe9f607a572643db0d7ea7376bb86b569c38f82cee/detection

ClamAV is the only one that detects anything, as: Win.Virus.Sality-6830151-0

Original file download name is: SetupVCD5500.exe

Original download link is: https://www.elby.ch/download/SetupVCD.exe

Webpage hosting the download button: https://www.elby.ch/en/products/vcd.html

File version number is 5.5.0.0

There's some interesting stats on that VirusTotal page when I click into Details, Relations, Behavior, and Community... though I don't understand them all, are there indications there that Virtual CloneDrive is doing something bad? Or is ClamWin just identifying it as a false positive? I'd really like to use the product again on my Windows reinstall.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4513
Location: USA
Reply with quote
Whenever Clam AV is the only AV detecting a file as malicious, it is almost certain that the detection is a false positive. I think you should know that by now, Dave.

When I was sigmaking at Clam AV, they got a lot of FP detections on Sality versions. They tended to get a signature for some code that was used by lots of "good" files--especially Windows OS type files. This eventually led to ClamWin developing the FP protection of important Windows files that you sometimes see and the related QRecover utility to restore files from quarantine. It looks like Clam AV sigmaking has not changed much from when I left it in 2014. At least one of the sigmakers from back then is still there.

You can reinstall ClamWin, but you should use a real-time AV for primary protection and keep ClamWin as a backup scanner. I guess it could still detect something no other AVs do, but 99.9 times out of a hundred, it will be a false positive.

Regards,
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 46
Location: America
Reply with quote
GuitarBob wrote:
Whenever Clam AV is the only AV detecting a file as malicious, it is almost certain that the detection is a false positive. I think you should know that by now, Dave.


Not necessarily; maybe you didn't review the Community tab on that VirusTotal link I provided, but one person marked it unsafe and there's several malware scan reports for it (with
HybridAnalysis giving it a falcon-threatscore:85/100); there's a lot of detail you can go into with those scans if you research them, a lot of it enough to cause concern, but since ClamWin is the only one STILL reporting a problem (false positive as you say I should already know), then there's still a good reason for my post. My concern is especially with free software, and even moreso if it isn't signed with Microsoft.

Since you don't know what I know, you don't know what I should know either, so no point in that condescending comment. Useful information is what I expect here, not judgments based on assumptions.

GuitarBob wrote:
When I was sigmaking at Clam AV, they got a lot of FP detections on Sality versions. They tended to get a signature for some code that was used by lots of "good" files--especially Windows OS type files. This eventually led to ClamWin developing the FP protection of important Windows files that you sometimes see and the related QRecover utility to restore files from quarantine. It looks like Clam AV sigmaking has not changed much from when I left it in 2014. At least one of the sigmakers from back then is still there.


Thank you for this useful bit of information. I'm not sure why reporting the false positive to ClamWin hasn't cleared up this issue yet.

GuitarBob wrote:
You can reinstall ClamWin, but you should use a real-time AV for primary protection and keep ClamWin as a backup scanner. I guess it could still detect something no other AVs do, but 99.9 times out of a hundred, it will be a false positive.


I use Microsoft Security Essentials, and then sometimes install a random freeware malware scanner, or run a disc boot scanner with ethernet. It's really surprising the different things these things find without finding the same things, and I wonder how many of these free scanners have unwanted mal/spy/ad/whateverware on them, like all of the tech news articles I've read about Avast, AVG, Kaspersky, Comodo, etc, stating the consumer-unfriendly things they run on the computer or information they collect without consent or notification.

99.9 times out of a hundred leaving your door unlocked may not result in a robbery, but was that .1 time worth losing stuff? Not for me, but I'm not trying to unlock my home or car to install a virtual disc drive... I'm just trying to determine if this software is actually safe to use, and right now the jury is still out... .1% of them is saying no, so for now I'll hold off, but I'd really like to know what exactly is causing the red flag or unverified "false positive".

GuitarBob wrote:
Regards,
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4513
Location: USA
Reply with quote
It's hard to say why an AV detects something as a false positive. Sometimes they are in too much of a hurry and get a quick signature for a bit of code that was used in a malware that can also be used by "good" software as well. Clam AV has a false positive "farm" of "good" programs that each new signature is checked against, and I'm sure other AVs do this as well. However, Clam AV did not have enough programs on their "farm" when I was there, and I suspect it is still the same. Sometimes a new malware can slip by despite all the detection capability that an AV has.

Rregards,
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 46
Location: America
Reply with quote
Thank you.
View user's profileSend private message
Virtual CloneDrive - only ClamWin detects malware?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic