My scan with ClamWin came up with the following viruses:

C:\Users\mary\AppData\Local\Google\Chrome\Application\18.0.1025.151\chrome.dll: W32.Virut.Gen.D-148 FOUND
C:\Users\mary\AppData\Local\Google\Chrome\Application\18.0.1025.151\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND
C:\Users\mary\AppData\Local\Google\Chrome\Application\chrome.exe: Trojan.Swrort-154 FOUND
C:\Users\mary\AppData\Local\Google\Chrome\Application\old_chrome.exe: Trojan.Swrort-154 FOUND
C:\Users\mary\Downloads\cnet2_clamwin-0_97_3-setup_exe.exe: Adware.Downloader-207 FOUND

I did a follow up scan with the following:
Avast
AVG
Panda
Bitdefender

...all of them came up clean. Does this mean my results are false positives?

I know of some recent Virut.Gen false positives, and they have just been fixed by Clam AV. Try another scan in an hour or so, and if you get any more false detections, submit them to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web. Submit one for each new detection. You can zip submissions. If your submission is too large to submit, contact luca at clamav dot net for instructions.

Regards,

When I scan system memory I get the following report:

C:\Dokumente und Einstellungen\USERNAME\Lokale Einstellungen\Anwendungsdaten\Google\Chrome\Application\18.0.1025.152\chrome.dll: W32.Virut.Gen.D-148 FOUND

When I locate that file on disk and do a manual scan with clam-win, it's clean. I'm testing this since days, so there have been ClamWIN signature updates as well as reboots.

Is there a way to dump the image from memory so to submit this? (I post it in this forum because it's related to the filename and the virus name.)

I get the same results. Any luck on a solution?


C:\Users\Administrator.DC1.000\AppData\Local\Google\Chrome\Application\18.0.1025.151\chrome.dll: W32.Virut.Gen.D-148 FOUND
C:\Users\Administrator.DC1.000\AppData\Local\Google\Chrome\Application\18.0.1025.152\chrome.dll: W32.Virut.Gen.D-148 FOUND
C:\Users\Administrator.DC1.000\AppData\Local\Google\Chrome\Application\18.0.1025.152\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND

i encountered the same problem too

fixed in a latest db update

A lot of the false positives at Clam AV involve the Virut generic detections. Each sigmaker is generally responsible for correcting false positives detected by one of his signatures. Clam AV has only one full-time sigmaker, so it may take a few days sometimes before the sigmaker is available to work on a false positive.

Regards,

Reported using the online form. Did also run against Metascan online (https://www.metascan-online.com/results/p3l0mkocxib270zwkgth1utp1nz0owvd) but no results there visible so far. Worked out successfully some days ago.

Submissions scanned on Virus Total and Jotti are sent to Clam AV if it does not detect the virus. I have also seen some false positives from VirusTotal/Jotti that were sent to Clam, but I am not sure what happens if a few other AVs also detect a false positive. Just to be sure, send all false positives to Clam after scanning with VirusTotal/Jotti--it might increase the importance.

Regards,

I am having the same (false positive?) reports and more. Is there (could there be added) a current list of known/ suspected false positives for the past week or so involving programs like chrome, adobe reader, etc... Am I asking for too much? I have had the above virus report for chrome 18.0.1025.152 and again (W32.Virut.Gen.D-148) when I updated to chrome x.162. I also received a positive for Adobe Reader 10.12 and 10.13 (specifically the same file, Data1.cab) of the Trojan.Decay-1

Every time there is an update/patch to widely-used software, there is a possibility the software will trigger one of the Clam AV generic signatures--simply because that version of the program did not exist at the time the Clam signature was prepared and checked on its false positive "farm." It is impossible for Clam to have all applications that presently exist and all applications that will exist on the "farm." So it is up to us users to report false positives when we can. One way to look at it is that the Clam AV engine is doing its job.

Perhaps the ClamWin developers could do something about false positives via the QRecover quarantine browser that now prevents the quarantine of some Microsoft/Windows false positives.

Regards,

Hi Mary, I’m afraid that one is not a false positive. Please take a look at this related thread on the "clamav-win32" mailing list.
May I suggest always downloading softwares from their official website ?

CNet has distributed adware with some of its downloads in the past on Download.Com. See this thread on a forum at https://forums.cnet.com/7723-12543_102-345901/adware-on-download-com/ on the web. I hear about it most often with security software.

Make sure you check out any program (even an antivirus program!) with Jotti or Virus Total after you download it--before you run/install it. Keep in mind that antivirus programs do not all recognize adware as malicious, so you might see only a few detect adware in a file. Nod32 usually spots adware, in my experience, so you can use it as a guide. If an application comes with a toolbar, do not blindly click OK to it when installing. Sometimes the adware is optional, and in that case, most antivirus programs will not detect it because the user has the option.

Regards,

BTW : ClamWin 0.97.4 has been released a week before you joined the forum ;-)

Each new verson of ClamWin has some increased functionality that older versions do not have. If you are not using the latest version, there is a chance that a file could either be falsely detected in error or not detected in some cases. Upgrade to the latest ClamWin verson, and try another scan.

Regards,