|
jodifu
| Joined: 12 Feb 2010 |
| Posts: 0 |
| Location: Europe |
|
|
 Posted: Wed Jul 28, 2010 6:26 am |
|
 |
 |
|
|
FYI got three installations files marked infected this morning
C:\Install\Windows 2003 St. Ed. Install Files\R2\CMPNENTS\R2\STS.MSI: Trojan.Downloader-94937 FOUND
C:\Install\Windows 2003 St. Ed. Install Files\R2\CMPNENTS\R2\STS.MSI: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\STS.MSI.infected'
C:\WINDOWS\Installer\3653904.msi: Trojan.Downloader-94937 FOUND
C:\WINDOWS\Installer\3653904.msi: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\3653904.msi.infected'
C:\WINDOWS\Installer\{91140409-7000-11D3-8CFE-0150048383C9}\misc.exe: Trojan.Downloader-94937 FOUND
C:\WINDOWS\Installer\{91140409-7000-11D3-8CFE-0150048383C9}\misc.exe: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\misc.exe.infected'
which I suppose to be false positives - anyone had similar issues recently?
|
|
|
|
scornn
| Joined: 28 Jul 2010 |
| Posts: 0 |
| Location: us |
|
|
| Posted: Wed Jul 28, 2010 10:52 am |
|
|
|
|
|
yea I got that yesterday on a xp system with deep freeze. evan after restart(reimage from deep freeze) so I am pretty sure it is a false positive but I want to hear that from some one else.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Jul 28, 2010 1:37 pm |
|
|
|
|
|
When you get the same detection on more than one file, it is often (but not always) a sign of a false positive. Viruses try to make their creators money, and they cannot do so by being too visible! Check the file out with Jotti or VirusTotal (VT has a nice installable script that helps the process). If only Clam and one or two more AVs see an infection, it is probably a false positive, and you should report it to Clam at https://www.clamav.net/lang/en/sendvirus/ on the web. On the form, be sure to check "false positive" and give the exact name of the "virus" in the comments section. They will usually fix it within a couple of days.
Regards,
|
|
|
|
jodifu
| Joined: 12 Feb 2010 |
| Posts: 0 |
| Location: Europe |
|
|
| Posted: Wed Jul 28, 2010 6:58 pm |
|
|
|
|
|
FYI a directly for the whole system executed TrendMicro's HouseCall was negative as well as Virus Total for all three findings. Also the latest ClamAV was negative - so I'll fill in that form...
Maybe I'm wrong, but got the feeling there's a significant portion of false positives within .msi files on various systems over the course of the past nine months...
Thx for your input and take care...
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Thu Jul 29, 2010 12:22 am |
|
|
|
|
|
I guess Clam fixed the false positive then if the current update does not find an infection.
I have not seen very many viruses hiding in .msi files. ClamWin is supposed to be able to detect false positives in signed Windows files, but I understand there is a problem with this detection on Windows XP and below. Let's hope they get it fixed soon.
Regards,
|
|
|
