Yes, we need some sort of ability in ClamWin to protect system files. However, system files change very often--look at all the patches Windows has. Every time there is an update/upgrade/patch to a Microsoft product, any "whitelist" becomes obsolete. Your best bet for now is to set ClamWin's Infected Files option to Report Only and temporarily exclude any files that give you a false positive via ClamWin's Configuration, Filters, Exclude Matching Filenames. You may not hear about it, but the large AV companies ocasionally have "boo-boos" with false positives also. Last year Norton fried a hundreds of thousands of Chinese computers with one signature.

ClamWin AV provides a Windows GUI to Clam AV (designed for use on Linux email servers) so Windows personal computer users can use it. ClamWin uses the Clam scanning engine and signature database. Clam gets 10,000 to 20,000 virus submissions each month, and it has has one full-time sigmaker and a small handful of part-timers.

Norton/McAfee probably have a couple of hundred people around the world on their sigmaking effort, and they charge up to $60 or so for each full installation. Outfits like Cisco are using Clam AV for free on hundreds of computers, and ClamWin also has a few businesses that use it on a large numbers of computers as well. If anyone wants signature support for Clam AV/ClamWin AV that is equivalent to that of a commercial antivirus company, I suggest they contribute to both. They could use personnel/equipment/software.

Regards,

Hi all,
three days ago, my ClamWin 0.95.3 detected after a complete scan of C:\ (not only memory):
Scan Started Mon Feb 08 18:41:55 2010
C:\WINDOWS\$NtServicePackUninstall$\rsaenh.dll: Win32.Zhelatin.Variants.siggen-1 FOUND.
A user in Switzerland had just the same detection on the same place, as you can read https://www.libellules.ch/phpBB2/trojan-dans-un-plugin-firefox-t34865.html here. It was in the Windows XP SP 3. (i used XP SP2 and updated January 15 from Microsoft).
First I removed rsaenh.dll out of the Service Pack, then from the folder C:\WINDOWS\system32\ using a KNOPPIX 5.3 Live DVD. Windows does not allow deinstallation of this file. After that, I had to reinstall XP with my Recovery CD, using the "repair" mode in the installation routine.
Two days later, ClamWin reported after a new complete C:\ scan:
Scan Started Wed Feb 10 18:23:20 2010
C:\WINDOWS\system32\dllcache\rsaenh.dll: Win32.Zhelatin.Variants.siggen-1 FOUND
C:\WINDOWS\system32\rsaenh.dll: Win32.Zhelatin.Variants.siggen-1 FOUND
So I removed again the file, also out of the dllcache, with KNOPPIX and reinstalled again.
Then my system was clean:
Scan Started Wed Feb 10 21:46:42 2010
----------- SCAN SUMMARY -----------
Known viruses: 712082
Engine version: 0.95.3
Scanned directories: 2402
Scanned files: 24176
Infected files: 0

Data scanned: 6912.38 MB
Data read: 6006.88 MB (ratio 1.15:1)
Time: 2245.109 sec (37 m 25 s)
It is yet, I made a new complete scan recently.
Although the worm is two years old, it seems to have returned since a few days, as other requests prove, e.g. in
https://it.answers.yahoo.com/question/index?qid=20100209063315AAvbWyB Italy, https://technologie.gazeta.pl/technologie/1,82008,7537420,Trojany_w_rozszerzeniach_do_Firefoksa.html Poland and https://bojalinuxer.blogspot.com/2010/02/download-pcmav-23-terbaru-maret-2010.html Indonesia, google offers to the request 'zhelatin.variants.siggen-1' 98 results today, February 11.
So the worm may be a real threat. Perhaps I got it with the download of SP 3. It was the only time I used IE in the last months, normally I take Firefox or Opera.
Thanks to the staff of ClamWin for this good program!
regards

Viruses sometimes use similar code to "good" programs--installers, packers, subroutines, etc. If the virus signature includes that code, the signature may flag good programs in addition to viruses. Most virus files are heavily compressed/packed/obfuscated nowadays, and it's hard for an AV program to get enough readable information for the sigmaker to get a bullet-proof signature. Consequently, sigmakers get what they can--programming code, strings, entry points, file hashes, sectional hashes, obfuscation tricks, you name it. It's not a cut-and-dried endeavor.

Last time I looked, Clam had a .001 false positive rate--that's 1/10th of a percent of total files processed was a false positive.

Regards,

@saintgeorge, never take anything at face value. Always have your detections verified at places like Virustotal etc. ClamWin also detected that file for me in folder scans. So that alone proves nothing.


What comes to this topic, ClamWin did indeed have f/p which they have now corrected. My scans show no detections. I am glad I have Clam set to report only.

Anyone still having this detected may very well have real malware.

Clam AV, which furnishes the scanning engine/signature database used by ClamWin, has a false positive "farm" containing many known "good" files that signatures are processed against before they are released. However, they do not have every version of every system file, and systems files change with each Microsoft patch, let alone every version of every Window sapplication. They need more equipment and more Windows files on the "farm"--both system and app files.

Also, you have to remember that Clam AV is designed for use on Linux email servers. Yes, the viruses found on the servers are primarily Windows viruses designed for email recipients, but all Clam is designed to do is to find the virus on the Linux server--it is not actually concerned with false positive signatures that might spot a virus but might also spot a "good" running Windows file. ClamWin has a certain amount of responsibility for this. Presently, all we users can do is set the Infected Files Option to Report Only. Perhaps this could be done automatically for Windows system files but everything else could be quarantined, if desired by the user, who would still have the responsibility to verify an infection. VirusTotal has a script that can be used to expedite the submission of files to them, and Threat Expert also has something similar for files submitted to them. Perhaps the script(s) could be included in ClamWin to help its users submit flagged system files.

Regards,