ClamWin Free Antivirus :: View topic - How to Attach raw message containing virus?

Posted: Mon Feb 06, 2006 4:28 pm

How do you attach raw message containg virus? My scanlog shows what I think are two false positives, but I don't know how to attach or what file to send.

Thanks in advance

Mike

Posted: Tue Feb 07, 2006 1:51 am

scan those at https://virustotal.com and see what other av programs detect

Posted: Tue Feb 07, 2006 8:26 pm

https://upload2.postimage.org/120257/photo_hosting.html

https://upload2.postimage.org/120414/photo_hosting.html

Here are the results from https://virustotal.com/ .

As you can see ClamAV and Panda are the only scan that are positive, so I assume these are false positives.

Mike

Posted: Tue Feb 07, 2006 11:35 pm

Quote:

As you can see ClamAV and Panda are the only scan that are positive, so I assume these are false positives.

yes it is very lilkely. You may submit those here:
https://www.clamav.net/sendvirus.html

Posted: Sun May 07, 2006 4:22 pm

jeez, I've just spent 100 minutes tracking down what to do with a possible false-positive detected by ClamWin, only to be frustrated....

First I searched this forum to find out the procedure (fine), next scanned the suspect with two online scanners (its actually https://www.virustotal.com/en/indexx.html for VirusTotal) and Jotti, gathered the results and prepared to send it off to ClamAv, only to get through the upload and then receive an error message:

Quote:

Result:

We cannot accept file larger than 1048576 bytes. Sorry.

Please correct the above errors and retry. Thank you for helping the ClamAV project.

So, I'm still not sure if this is a false- or true-positive, and probably never will. Would have been nice for them to indicate this before I wasted all that time.

In any case, here are the results of the two online scans, FWIW:

Jotti scan:

Quote:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: ffdshow-svn2526-20060424.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 ad1991cf45429aabc3cd4c200cbdc0d6
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.Downloader.Zlob-305
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

VirusTotal scan:

Quote:

STATUS: FINISHED
Complete scanning result of "ffdshow-svn2526-20060424.exe", received in VirusTotal at 05.07.2006, 17:51:40 (CET).

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.06.2006 no virus found
BitDefender 7.2 05.07.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 no virus found
ClamAV devel-20060426 05.07.2006 Trojan.Downloader.Zlob-305
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.1 05.06.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortinet 2.71.0.0 05.07.2006 suspicious
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 Trojan-Downloader.Win32.Zlob.IG
Kaspersky 4.0.2.24 05.07.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.07.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 Suspicious file
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.139 05.05.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.06.2006 no virus found

Aditional Information
File size: 2741849 bytes
MD5: ad1991cf45429aabc3cd4c200cbdc0d6
SHA1: 663bb25173118c5794d33663459933d00db6a004

<sigh>

Posted: Mon May 08, 2006 1:25 pm

You're right, the FAQ should indicate the upload file size limit.

I've added it to the TODO for the website (don't have access to the website itsself currently, at least not the international one).

By the way, is this file something you downloaded somewhere ? Maybe you can add the link here, so people can download and check for themselves.

budtse

Posted: Mon May 08, 2006 11:11 pm

Thanks for addressing the file upload size issue.

Additional info: I unpacked the file, which was compressed with UPX, and it no longer scanned positive, FWIW.

Its an installer for the open-source ffmpeg package, posted at doom9 forums I believe. At least in principle, one could do a search there and find it. I'm sure its a false positive, although I haven't actually installed it yet.