ClamWin Free Antivirus :: View topic - explorer.exe: Trojan.GenericFF-1 FOUND (false positive!)

Posted: Sat Feb 05, 2011 8:29 pm

A couple of days ago i saw that ClamWin killed several systems by false positive detection in explorer.exe

Naturally these systems were resurrected by copying explorer.exe back to %systemroot% but users workstations were stopped.
And now i got much more feedbacks about other files with the same false positive virus detection name. All of the files are absolutly healthy ones. I allready submitted some of them to https://cgi.clamav.net/sendvirus.cgi a couple of days ago but the latest antiviral databases still contain that evil bug. Please recommend the most proper actions in the case.

By the way there is the example of log file:

Code:

Scan Started Thu Feb 03 01:17:32 2011

-------------------------------------------------------------------------------

C:\docs\admin\desktop\LibreOffice 3.3 (4d36e9e0) Installation Files\redist\vcredist_x86.exe: Trojan.GenericFF-1 FOUND

C:\docs\admin\desktop\LibreOffice 3.3 (4d36e9e0) Installation Files\redist\vcredist_x86.exe: moved to 'C:\WINNT\system32\clamwin\@\vcredist_x86.exe.infected'

C:\docs\admin\desktop\OpenOffice.org 3.3 (ru) Installation Files\redist\vcredist_x86.exe: Trojan.GenericFF-1 FOUND

C:\docs\admin\desktop\OpenOffice.org 3.3 (ru) Installation Files\redist\vcredist_x86.exe: moved to 'C:\WINNT\system32\clamwin\@\vcredist_x86.exe.infected.000'

WARNING: Can't open file C:\docs\admin\local settings\Application Data\Microsoft\Windows\UsrClass.dat: Permission denied

WARNING: Can't open file C:\docs\admin\NTUSER.DAT: Permission denied

C:\docs\admin\temp\LibreOffice 3.3 (4d36e9e0) Installation Files\redist\vcredist_x86.exe: Trojan.GenericFF-1 FOUND

C:\docs\admin\temp\LibreOffice 3.3 (4d36e9e0) Installation Files\redist\vcredist_x86.exe: moved to 'C:\WINNT\system32\clamwin\@\vcredist_x86.exe.infected.001'

WARNING: Can't open file C:\docs\LocalService\local settings\Application Data\Microsoft\Windows\UsrClass.dat: Permission denied

WARNING: Can't open file C:\docs\LocalService\NTUSER.DAT: Permission denied

WARNING: Can't open file C:\docs\NetworkService\local settings\Application Data\Microsoft\Windows\UsrClass.dat: Permission denied

WARNING: Can't open file C:\docs\NetworkService\NTUSER.DAT: Permission denied

C:\programs\Windows Media Player\wmplayer.exe: Trojan.GenericFF-1 FOUND

C:\programs\Windows Media Player\wmplayer.exe: moved to 'C:\WINNT\system32\clamwin\@\wmplayer.exe.infected'

C:\WINNT\explorer.exe: Trojan.GenericFF-1 FOUND

C:\WINNT\explorer.exe: moved to 'C:\WINNT\system32\clamwin\@\explorer.exe.infected'

--------------------------------------

Cancelled

--------------------------------------

Posted: Sun Feb 06, 2011 3:53 am

I mentioned this to the Clam AV team. Hopefully you will soon see results. In the meantime, you might set ClamWin's infected files option to Report Only, if at all possible--or you could exclude the files involved from ClamWin's scans via Configuration, Filters, Exclude Matching Filenames.

Regards,

Posted: Sun Feb 06, 2011 10:27 pm

GuitarBob wrote:

I mentioned this to the Clam AV team. Hopefully you will soon see results. In the meantime, you might set ClamWin's infected files option to Report Only, if at all possible--or you could exclude the files involved from ClamWin's scans via Configuration, Filters, Exclude Matching Filenames.

Regards,

Thank you a lot for your work.
I thought about such variant with modifying of %appdata%\.clamwin\clamwin.conf (adding new "excludepatterns" values) and now i think that adding "explorer.exe" here would be great better default for my custom configuration anyway.

Posted: Sun Feb 06, 2011 10:42 pm

Per the Clam AV team: make sure you are using the most recent version of ClamWin. Sometimes the older versions are not able to correctly process the new enhanced signatures, and that's what this looks like. If you are using the latest ClamWin (version .96.5), there may be some difference in the Clam code as ported over to ClamWin--this particular detection on .dll files can only happen if the scan engine ignores certain parts of the signature.

Please get back here if you are using the latest version of ClamWin.

Regards,

Posted: Tue Feb 08, 2011 2:45 pm

Good morning,
Has there been any update on this particular false positive? I submitted a sample a week ago. Seems my machines with LogMeIn, having received an update, are now showing the Trojan.GenericFF-1 associated with the LogMeIn application files. Any assistance you can offer would be greatly appreciated.
Thanks,
MacX

Posted: Tue Feb 08, 2011 5:17 pm

This is a false positive that occurs because the ClamWin scanning engine can't properly interpret one of the new enhanced Clam AV signatures. It can't be corrected by Clam AV via its normal false positive procedure. It will be corrected when ClamWin updates to the new Clam AV engine. I understand a new version of ClamWin is about ready for beta testing. In the meantime, perhaps you should exclude the file from ClamWin scans via the Filters, Exclude Matching Filenames configuration option.

Drop Alch a private message if you would like to be involved with beta testing. We do not have many ClamWin users beta testing, so this would be a great help. An AV is no better than its users!

Regards,

Posted: Wed Feb 09, 2011 2:04 pm

GuitarBob,
thank you for the info. I will also reach out to Alch as you suggested and see if we can help with the Beta.
Many regards,
MacX

Posted: Thu Feb 17, 2011 3:31 am

After you install the new version .97 of ClamWin, there should be no more detectons of this false positive. The signature comes with a "qualifier" that the old version of ClamWin could not read/process. Each new version of the Clam AV engine may contain some signature enhancements that are not available to us Windows users until the ClamWin developers integrate the new engine.

Regards,