 |
 | Still get false positive? |  |
|
jeffjewitt
| Joined: 27 Apr 2009 |
| Posts: 0 |
| Location: Claveland, OH |
|
|
 Posted: Tue Oct 27, 2009 3:26 pm |
|
 |
 |
|
|
I switched to a different AV engine several months ago. Re-installed C/W yesterday and still get this, which was a false positive mentioned in a thread several months ago.
C:\WINDOWS\Installer\5a2172e.msp: W32.Virut.Gen.D-159 FOUND
It's too big a file to check out, so I'll just ignore it, but is it OK to delete or quarantine one of the "installer" files?
Jeff
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Tue Oct 27, 2009 11:29 pm |
|
|
|
|
|
you might get an md5 hash of the file, if you have a hasher program and see what Google says about the hash to verify it's ok. Also, Jotti/VirusTotal may take a larger file, and they will give you a hash. If its a false positive, you can exclude it from scanning in ClamWin's Filters Preferences--c:\directory\subdirectory\filename.exension). Clam needs to know to drop the false signature, however.
Regards,
|
|
|
|
jeffjewitt
| Joined: 27 Apr 2009 |
| Posts: 0 |
| Location: Claveland, OH |
|
|
| Posted: Wed Oct 28, 2009 3:03 pm |
|
|
|
|
|
"see what Google says about the hash"
How do I do that.
I downloaded MD5 and check hash, but how do I compare my stored file with another version?
Sorry - but file hashes are something new to me.
Jeff
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Oct 28, 2009 3:25 pm |
|
|
|
|
|
i would just "paint" the hash and paste it in a google search. you should leave off the 0x if it has that. if something is 'bad," a hash search will sometimes give you more info.
you can also upload the file to threat expert at https://www.threatexpert.com/submit.aspx on the web for a detailed run time analysis. a hash search will often lead you to threat expert anyway if it is "bad."
regards,
|
|
|
|
jeffjewitt
| Joined: 27 Apr 2009 |
| Posts: 0 |
| Location: Claveland, OH |
|
|
| Posted: Wed Oct 28, 2009 4:04 pm |
|
|
|
|
|
This is the display hash string for that file from MD5
B5E0040F5370B62995C96A677D1C9351
I paste that into a google search box and 0 records come back. That means it's OK?
PS - all the upload sites say the file is too large and they reject it.
|
|
|
 |
| | |
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Oct 28, 2009 4:16 pm |
|
|
|
|
|
well, it means google couldn't find any references to the hash, so that's a good sign. if you tried threat expert but couldn't upload, upload it to clam as a false positive starting at https://www.clamav.net/sendvirus/ on the web. Be sure to click on false positive and tell them the name of the false positive virus in the comment block, also check the block to receive a reply maftehy they analyze it. Clam may take larger files than some of the services.
If you are sure it is a false positive, you can temporarily exclude the file from ClamWin scans by including the entire path and filename in ClamWin's Filter preferences. It could take Clam a couple of days to look at the file.
Regards,
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
| |
