Hello
Please advise - found below; report result in a recent scan. Wasn't able to get on the Virus Total Web site - can you tell me if I should go back to file and remove. Also what is the alert level for these findings ?

C:\WINDOWS\OPTIONS\post_sysprep.EXE: Trojan.Fakealert.Sesh FOUND
C:\WINDOWS\OPTIONS\pwrm.EXE: Trojan.Fakealert.Sesh FOUND


Thanks You,
SA

Fake alerts are related to fake AV trojans. If you can't access Virus Total to verify the files, try Jotti at https://virusscan.jotti.org/en on the web. I've had trouble getting Virus Total lately. Jotti is easier to get on, it is smaller/quicker than Virus Total, and I think it is a bit better. I like to see 2 of these AVs verify my files: AntiVir, Bitdefender, Kaspersky, Nod32, and Sophos. Be sure to submit any false positives to Clam AV.

Regards,

Thanks for the help Bob,
I was finally able to upload the scanned file report to Virus Total. Nothing harmful found anywhere on any site they use.
My question is should I still go back to that file location and put the scanner on Quarantine and remove or don't bother ?

Thanks Again,
SA

One final check: when did VirusTotal say they first saw the file? If a file has been around a while (say a week or longer) and no AV or only a couple of AVs spot an infection, it is probably a false positive. If a file is new/current, the AVs may not have a signature for it yet, so wait a while and scan it again. I've seen files with no infections per VirusTotal change after a couple of hours. The 4 AVs I mentioned are usually pretty quick to get signatures.

So if the file has been around for a while, it's probably okay to keep, unless you don't need it. If it is a false positive, I suggest you submit the file(s) to Clam AV so they can change their signature or whitelist the file(s) - you may help other users.

Regards,

Thanks for the help - how do I upload the file to Clam ?

Please advise -

Thank you,
SA

The Clam AV upload page is at https://www.clamav.net/lang/en/sendvirus/ on the web. When you get to the actual upload form, for a false positive, change the submission type from "virus" to "false positive." They get a lot of false positives that don't do this, and it looks like a virus submission. Clam will correct the false positive within a few days. Each sigmaker usually works his own false positives, and the sigmakers are not available all the time. Clam only has one full-time sigmaker.

Regards,

OK thanks -
I didn't realize you said Clam AV because I was looking for a link on the Clam Win Page -

Regards,
SA

ClamWin has its own code, but basically the ClamWin developers port the Clam AV Linux code over to Windows and add a graphical user interface (GUI) to it. ClamWin gets the scan engine and virus signature updates from Clam AV. Clam is now owned by a commercial company (Sourcefire), but they still keep Clam open source for the user community.

Regards,