|
cshorter
| Joined: 17 May 2012 |
| Posts: 0 |
| Location: Atlanta, GA |
|
|
 Posted: Thu May 17, 2012 12:20 am |
|
 |
 |
|
|
Note to self, write a virus into chrome.dll and post on forums.
|
|
|
|
dmespelt
| Joined: 07 Nov 2011 |
| Posts: 0 |
|
|
|
| Posted: Thu May 17, 2012 1:48 pm |
|
|
|
|
|
Well I've added the chrome files and directory to both sentinel and clam itself and I still get a dozen emails in the morning reporting it.
I've also had a machine that didn't have sentinel (oops) and it reported it as well
*sigh*
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Fri May 18, 2012 1:46 am |
|
|
|
|
|
Email luca at clamav dot net for instructions on uploading a file to Clam that is too large for the regular submission process.
Remember that if Clam Sentinel detects a "suspicious" file, Clam AV can do nothing about it. You should whitelist all false positive Sentinel suspicious detections in the Sentinel program, as they are heuristic detections by the Sentinel heuristic engine--not actual virus detections by the ClamWin Clam engine. The heuristic engine does not have signatures, so this is the only way to handle the Sentinel suspicious files that are false positives.
Regards,
|
|
|
|
ReclaiMe
| Joined: 07 Jun 2012 |
| Posts: 0 |
|
|
|
| Posted: Thu Jun 07, 2012 9:49 am |
|
|
|
|
|
Hello,
Looks like we getting ClamAV positive for any .NET application, reporting PUA.Win32.Packer.NetExecutable
See for example https://www.virustotal.com/file/0466895bd24a3b6ca1708471e790898478db665e72829ce325e5af2a887adc5e/analysis/1339064066/
which is pretty much a standard Microsoft Web Platform Installer module; however, VirusTotal produces a warning for seemingly any .NET application.
Further, the ClamAV false positive form says "do not report PUA.*". But, declaring any .NET application potentially unwanted looks like a bit overkill?
Can someone please clarify if it is the issue with ClamAV, a policy decision for ClamAV, or Virustotal just set up something incorrectly?
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Thu Jun 07, 2012 1:46 pm |
|
|
|
|
|
This is an overzealous use of the PUA for some packers. I have brought it to Clam's attention. There has been a recent signature update, so it may be fixed, but they may decide not to.
As you say, Clam has always said that since PUA detections are optional per the user, they do not adjust the PUA signatures. In my personal opinion, you do not need PUA detection, so I suggest that you turn it off. Many "good" web sites now use scripts (including javascript--packed and otherwise) that are detected by some PUA signatures. Many "good" programs now use packers that are detected by some some PUA signatures. Many users are confused by a PUA detection. Some AVs do not seem to even use PUA now--I do not see as many PUA detections from other AVs as I used to. So, I suggest you turn off PUA detection and confine your AV to the detection of actual viruses/malware.
Regards,
|
|
|
