Greetings,

Just joined, trying to sort out a friend's ancient Inspiron 8100 laptop....
It's a - l o n g - time since I've used Windows, so I'm pretty rusty.

Using a fully updated Win XP SP3, ClamWin reports:


Checking with VirusTotal scores 0/42 hits, so we suspect a false positive
The file had just been downloaded from Adobe as part of a package to update Adobe Reader.
ClamWin is reporting properly when checked against the current EICAR-AV-Test file.

Interestingly ClamAV under VirusTotal is not reporting a hit. I'll be installing Linux on the spare partition shortly, will report back on how ClamAV works on this file from there.

In the meantime, what does the forum think? FP or /FP?

Any further info needed? Happy to provide it!

Thanks, folks. Ben

There can sometimes be differences between detection of the same file on Linux versus Windows, but it does not often happen. There can be a difference if one version is newer than the other one. Clam AV recently came out with version .97.4, and ClamWin followed within a couple of weeks. I suspect the online AV scanner may not have the latest versons--it sometimes takes them a while to upgrade. with every new verson, Clam AV/ClamWin increases its functionality, and an older version will not be able to make use of the latest functions.

Another possible reason for a difference is that one of the AVs does not have the latest signatures. I update my ClamWin signatures hourly, but I do not think the online scanners do it that often.

False positives can be reported to Clam AV at https://sourceforge.net/projects/clamsentinel/ on the web. Clam AV will fix a false positive within a few days, and ClamWin will get the update.

Welcome to ClamWin! If you are interested in using ClamWin in a real-time mode, look into the ClamSentinel project at https://sourceforge.net/projects/clamsentinel/ on the web. Clam Sentinel is also free, and it was originally designed for older computers. Read the Simple Guide in the installation package before using it.

Regards,

Thanks GuitarBob!

That might indeed explain the discrepancies. But I appear not to have searched properly before posting, sorry!
You already responded to DFR13 concerning this possible FP in this thread : https://forums.clamwin.com/viewtopic.php?p=15304 https://forums.clamwin.com/viewtopic.php?p=15304

In my defence, I did read the thread, but had missed these important details on the laptop's screen. Should I repost there, maybe?
Was not sure of the netiquette for FP reports here. I bow to your experience

...progress....
Bodhi Linux 1.4.0 is now installed on the spare partition and I've booted to the login, about to install ClamAV, scan from Linux, and report back.

All the best, Ben

Update:
ClamAV with ClamTK freshly installed - AV engine is 0.96.5 - Virus definitions dated 16 April 2012 - scanning target against 1197436 signatures
Zero viruses found.
That looks good....
But the engine is an older one than the ClamWin scan, so I'll try to update ClamAV and report again. Getting some funny messages when I try to do a 'freshclam',
so I might try getting the latest build from the ClamAV repo rather than the distro one.
Ben

Hello Ben:

That was a good idea to do an initial search on your topic. Many people fail to do that. I would just post here.

Regards,

Thanks GuitarBob!
Only seems courteous to do a search, sorry I didn't do a better job.

I've used pkgs.org to find the latest most-likely-to-succeed .deb packages - based on clamav_0.97+dfsg-2ubuntu1_i386.deb downloaded via https://pkgs.org/#ubuntu-11.04 https://pkgs.org/#ubuntu-11.04

These are more recent than the 0.96.5 that I was using previously, but not the latest, which is currently 0.97.4.
I was having trouble accessing the 12.04 'Precise' repositories where I'd hoped to find them, so these had to do.

The good news is that everything has now installed and the definitions have updated, so I can verify that the suspect Adobe file is reported clean by this 0.97 revision of ClamAV with the very latest virus definitions.
Still not fully up-to-date, though. <sigh>

...later...
The 'buntu 12.04 repos (now accessible again) only have ClamAV 0.97.3 on offer, not 0.97.4, so we still can't really compare apples with apples.
Think it's time to call it a day.
On the balance of the evidence so far, C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe is probably a false positive.
I'd better get on with the rest of what I'm supposed to do today!
Ben

I will never go for Online scanning. I found that till now no online scanner is worth it not even the Microsofts one. I always prefered NOD 32. The best scanner.

A disadvantage of using only one scanning engine to evaluate a malware sample is that any single antivirus can miss a detection now and then, and it can also get an occasional false positive too. I recommend that you pick several AVs used by a scanning service as "trigger" AVs. Be careful in choosing the triggers, however because some AVs sell their engine to others, and you do not want to use more than one AV with the same engine. I am aware that these AVs all have scan engines that are used by one or more other AVs: Bitdefender, Kaspersky, Ikarus, Avast, Virus Buster, Sophos. and Avira, so it's a good idea to pick your trigger AVs from among this group. You could also use the large AVs as triggers: Microsoft, McAfee, Symantec, Trend Micro, and Kaspersky. Or you could use AVs that have a free verson: this wold be Microsoft, Avast, Avira, AVG, and Panda.

The online scanning services are very helpful to a small AV company that doesn't have much of a research staff. Jotti, Virus Total, and Virus Scan all three send copies of viruses to AVs that do not detect a sample.

Regards,

also dont like online scanners, mayby kaspersky only...

It's hard to fool all the 42 scanners on Virus Total, unless a malware file is only a couple of days old. For confirmation, look at the date that the file was first seen on Virus Total (or Jotti). If it is older than a week, at least a few AVs should spot an infected file. If it is older than a couple of weeks, even more AVS should spot ite. By the time an infected file is 6 months old, most of the AVs should spot it. In general, most AVs don't do too well initially at spotting infected files that are not Windows PE files--javascript, java, PDF, html, php, etc., so if only a couple of them do spot a non-Windows PE file as infected, it is probably a righteous detection.

For additional confirmation, look at which AVs spot the file as infected. I have 5 trigger AVs. If 2 of them spot an infection, I will usually believe it. You have to be careful, however, because some AVs license their scan engine to other AVs: Avast, Icarus, Bitdefender, Kaspersky, and Virus Buster all license to other AVs, so you don't want to have too many duplicate AVs in your triggers. These AVs have good heuristics/generic signatures and do not duplicate each other: AntiVir, Bitdefender, Eset (NOD32), Kaspersky, and Sophos. These AVs have lots of corporate users and have to be low on false positives, so if they detect something, it is usually true: McAfee, Microsoft, Kaspersky, Symantec, and Trend Micro. Take your pick--I have given you 3 strategies for trigger AVs: stand-alone AVs, Heuristc AVs, and corporate AVs.

Regards,