Hello,

Last night a scheduled scan turned up a virus which I believe is a false positive. I did a search of this forum and found a post from two years ago indicating the same issue, and that it is indeed a false positive. Here's a link to that post:

https://forums.clamwin.com/viewtopic.php?p=9558

Here's my scan log from last night:

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\EXCEL.EXE.infected'
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: W32.Virut.Gen.D-163 FOUND
C:\Program Files\Microsoft Office\Office12\excelcnv.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\excelcnv.exe.infected'
C:\WINDOWS\Installer\110ef04.msp: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\Installer\110ef04.msp: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\110ef04.msp.infected'
C:\WINDOWS\SoftwareDistribution\Download\69c91f74084122922673375bccbe825f\excel.cab: W32.Virut.Gen.D-163 FOUND
C:\WINDOWS\SoftwareDistribution\Download\69c91f74084122922673375bccbe825f\excel.cab: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\excel.cab.infected'

I have already restored the files and everything is working again. I just thought you should know that this 2-year-old issue is back.

Yes, I think the issue is back because Microsoft had some patch(es) Tuesday that affected Excel. Every time it patches something, it changes the file, and there are new problems with false positives. The files with false positives are "whitelisted" based on their MD5 hash. When Microsoft issues a new patch for a file, the file hash changes and the whitelisted file has is no good! There must be an easier way! Those patches make a lot of work for everyone. I have had little niggling problems with my computer lots of times because of them.

Please submit false positives to Clam AV at https://www.clamav.net/sendvirus/ on the web. Tell them all the particulars--false positive virus name, etc. and upload the problem file to them. I understand they have increased the size allowed for false positives, so hopefully it will handle what is submitted.

Regards,

Thanks for the reply. I had surmised that an update was the issue, but it's nice to have confirmation. I have already uploaded the files.

Thanks again.

The operating system/Office suite false positives are really caused by Microsoft supporting its buggy operating system (Windows). Unfortunately, ClamWin/Clam AV users have to cope with it.

If we all used Open Office, that would help some, and if we all used another operating system, that would pretty much stop it!

Regards,

How do you know if something is a false positive? I had trouble with the McAfee freezing my computer and shutting down some of my programs, but now I am getting all these Trojan messages. Makes me nervous. Just got ClaimWin yesterday.

Sorry -- I did the first post wrong. Newbie. Anyway, how do you know if something is a false positive. My upgraded McAfee froze my system and shut down some of my programs, so I had to uinstall and got this. It turned up 5 Trojans yesterday and it is doing it again today. Most of them have the same number and are bunched together, but there was one yesterday that was all by itself. It is making me nervous. Is there a way to tell that it is a false positive?

Thank you so much.

If you get several detections of the same virus, it is likely to be a false positive. With a few exceptions, viruses tend to be stealthy, and infecting lots of files is not a good way to hide from detection.

You can verify whether or not a detection is a false positive by uploading the file in question to Jotti or VirusTotal. Both
services perform free scans of a file with multiple antivirus products, including Clam AV, which furnishes the detection
engine and signatures for ClamWin. If several other AVs besides Clam find a file is infected, it probably is. I like to see
at least 5 AVs detect something before I believe it is infected. I also like to see a couple of these AVs verify something:
Avast, Bitdefender, Kaspersky, NOD32, Sophos, Microsoft, Symantec, McAfee. Jotti is at https://virusscan.jotti.org/en-gb on
the web. VirusTotal is at https://www.virustotal.com/ on the web.

Regards,

GuitarBob,

Thank you so much. I will do that. I really appreciate your help.

Is this a false positive or a know virus?
FileFormatConverters.exe
28,868,230 12/09/2008

Upload the file in quesiton to Jotti at https://virusscan.jotti.org/en-gb on the web or to VirusTotal at https://www.virustotal.com/ on the web. If several other AVs (besides Clam AV) spot an infection, it is probably a real infection and not a false positive. If you are still in doubt, if a couple of these AVs spot an infection, it it is probably real: Avast, Bitdefender, Kaspersky, NOD32, and Sophos.

If it turns out to be a false positive, visit Clam AV at https://www.clamav.net/lang/en/sendvirus/ to submit the file to Clam so they can correct it. When you get to the upload page, be sure to indiciate it is a false positive, and tell them the exact name of the false positive in the Comments section--also tell the results on Jotti/VirusTotal.

Regards,