I will log on to the Clam submission interface when my work day is over. I see they have had several updates today, so the false positives should be in process. It is important to fill out the submission form correctly for false positives. The name of the false virus will help assign it to the original sigmaker.

Regards,

Hi Everyone.

FYI, Looks like the WORDPAD.EX_ issue has been resolved as mine is not showing up as infected in the scans anymore, but the AGENTSVR.EX_ file is still reporting as infected.

Out of curiosity, I inserted an old DELL Windows XP w/SP2 OEM CD in the server and scanned it. ClamWin detected the AGENTSVR.EX_ file on the CD as infected.

Submit that AGENTSVR file to Clam as a false positive. I checked recently and did not see any false positives at all. Someone could have it set up to work if it has been submitted, but it will not hurt to do it again.

Regards,

Hi GuitarBob, I tried to submit it a 3rd time, but this time, I got a message that the Trojan.Agent-148352 has already been identified. I even tried re-naming it to "False Positive Trojan.Agent-148352", but it still would not let me re-submit it. Maybe it's because I've sent the AGENSVR.EX_ file previously.

Scan that file again. If ClamWin still recognizes it as infected, give Alch a PM and see if he can arrange something.

Regards,

I was getting the same - wordpad is now no longer coming up as infected, but I am now getting;

C:\WINDOWS\$NtUninstallwmp11$\unregmp2.exe: Trojan.Agent-148484 FOUND
C:\WINDOWS\ServicePackFiles\i386\agentsvr.exe: Trojan.Agent-148352 FOUND
C:\WINDOWS\ServicePackFiles\i386\unregmp2.exe: Trojan.Agent-148484 FOUND

the unregmp2 was new last night

I found the same in my scan report; I checkd both files and they are WinXP SP3 system files, same Date Stamp as all those in the same directory and both files also have complete Properties/Version information (from Microsoft)
So, 'Trojan.Agent-148484' also is a false positive IMO

.

.

I rather foolishly had my clamwin set to move files to a quarantine folder - meaning windows thought critical files had been tampered with and asked for the XP CD

Restored them from another PC and they still came up as infected which made me go looking to see if it really was a virus

samrad, I have the same detections too.

C:\ClientApps\wxpsp2\i386\AGENTSVR.EX_: Trojan.Agent-148352 FOUND
C:\ClientApps\wxpsp2\i386\UNREGMP2.EX_: Trojan.Agent-148484 FOUND

In my case, these are the XPSP2 files in the Client Apps folder on SBS 2003.

They are probably false positives if one of the original files from another PC also triggers a detection. If you have sent in a false positive to Clam and it has been longer than a couple of days, please give me a private memo. If you have not sent in a false positive to Clam, please do so. That's the only way it will get corrected.

Regards,

.


OK, just submitted the 2 I found to CLAM !

When submitting false positives, be sure to check the False Positive block and tell them the name of the virus that is fasely detected in the name box.

Regards,

Just updated - daily.cld updated (version: 10680, sigs: 48616, f-level: 44, builder: neo)

No detections on agentsvr.ex_ or unregmp2.ex_ ,but...

C:\ClientApps\wxpsp2\i386\IEXPLORE.EX_: Trojan.Poison-1380 FOUND

I submitted this one, but did not attached the file...only the scan log. Hope they accept it this way.

Clam can't do anything with a scan log. They need the file--whether it is a false positive or an undetected virus.

Regards,

OK, Just re-submitted and attached the Iexplore.ex_ file.

They are probably getting real sick of me.

I noticed that you have to check the "False Positive" radio button last, just before you click "submit". If you click "False Positive", then fill out the rest of the page, it reverts back to the "Malware" submission. Thats why I had so much trouble before.

Hope this helps.

Thanks Bob.