|
user_clamwinner
| Joined: 19 Dec 2011 |
| Posts: 0 |
|
|
|
 Posted: Wed Jan 11, 2012 10:34 am |
|
 |
 |
|
|
Hello. After today's test for many computers detected viruses in files CVE_2012_0013 Microsoft Power Point - *.PPT
Checked the data files used Dr.Web and Kaspersky AVP - they define as false activity.
Is this true? will there be any changes soon update the virus database Clamwin Antivirus?
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Jan 11, 2012 2:00 pm |
|
|
|
|
|
I noticed several false positive submissions on the Clam submission interface for this, so they are aware of it. It should be corrected within a day or so. In the meantime, you can whitelist the file(s) in ClamWin's filters, exclude matching filenames.
Regards,
|
|
|
|
danq
| Joined: 02 Jan 2011 |
| Posts: 0 |
|
|
|
| Posted: Sun Jan 15, 2012 5:34 am |
|
|
|
|
|
I'm getting "BC.Exploit.CVE_2012_0003" on many MIDI files.
I have loads of MIDI files on my computer and can't submit them all to ClamAV.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sun Jan 15, 2012 12:26 pm |
|
|
|
|
|
You can send email to luca at clamav dot net to ask for submisssion instructions, but if you can just submit 2 or 3 files (zipped), that will probably show the sigmaker there is a problem, and he can see that he needs to scrap the entire signature. Explain in the comments on the submission form that there are lots of other midi files being detected also. Also, please change the submission type on the submission form from "virus" to "false positive." ClamWin users are bad about not doing that, and some false positives can slip through unnoticed.
Regards,
|
|
|
|
user_clamwinner
| Joined: 19 Dec 2011 |
| Posts: 0 |
|
|
|
| Posted: Mon Jan 16, 2012 9:37 am |
|
|
|
|
|
Hello. BC.Exploit.CVE_2012_0003 on MIDI files! Why lately so many false positives in Clamwin???
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Jan 16, 2012 12:35 pm |
|
|
|
|
|
Reasons For False Positives:
Malware often uses some of the same code as "good" programs. The more generic signatures can detect this code--it doesn't matter where it is. Clam has a limited number of good programs on its false positive "farm" where signatures are checked before they are released. For instance, every time Microsoft patches something, there is a new version of whatever is patched--just think of how many versions of Office that makes! With every patch series, there are some Virus false positives on Office software. There are also some new Sourcefire sigmakers helping out at Clam now.
All we can do is quickly report false positives to Clam when we see them. Thankfully, ClamWin now has some protection against certain false positives that could take down the operating system.
Regards,
|
|
|
