 |
 | False +ve says not detected by ClamAV, VirusTotal says it is |  |
|
typojinx
|
|
Came across an issue on an XP system at the end of a scan after first install of ClamWin.
Clam Sentinel is not installed. ClamWin had been updated prior to running the scan. Scan report is as follows; Scan Started Tue Jan 22 12:57:41 2013 ------------------------------------------------------------------------------- WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\autorun.inf: Permission denied WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\mediainfo.xml: Permission denied WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\microsoft.vc80.crt.manifest: Permission denied WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\msvcr80.dll: Permission denied WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\setup.exe: Permission denied WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\setup.exe.config: Permission denied WARNING: Can't open file C:\740de4d0a11e6ba7627f5c1576\sqmapi.dll: Permission denied WARNING: Can't open file C:\pagefile.sys: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\master.mdf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\mastlog.ldf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\model.mdf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\modellog.ldf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\MSDBData.mdf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\MSDBLog.ldf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\tempdb.mdf: Permission denied WARNING: Can't open file C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008DGCS\MSSQL\DATA\templog.ldf: Permission denied WARNING: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied WARNING: Can't open file C:\WINDOWS\system32\config\default: Permission denied WARNING: Can't open file C:\WINDOWS\system32\config\SAM: Permission denied WARNING: Can't open file C:\WINDOWS\system32\config\SECURITY: Permission denied WARNING: Can't open file C:\WINDOWS\system32\config\software: Permission denied WARNING: Can't open file C:\WINDOWS\system32\config\system: Permission denied ----------- SCAN SUMMARY ----------- Known viruses: 1637199 Engine version: 0.97.6 Scanned directories: 7798 Scanned files: 46997 Infected files: 0 Data scanned: 14162.28 MB Data read: 13311.75 MB (ratio 1.06:1) Time: 5094.329 sec (84 m 54 s) The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses: C:\WINDOWS\system32\dllcache\sol.exe: [Win.Trojan.Swrort-1867] FALSE POSITIVE FOUND Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at https://www.clamav.net/sendvirus/ -------------------------------------- Completed -------------------------------------- A check on Virustotal.com comes back as only ClamAV will detect the uploaded sol.exe as a false positive with the exact description. See https://www.virustotal.com/file/a6fc95a5b288593c9559bd177ec43bf9b30d8a98cf19e82bf5a1ba5600857f04/analysis/ or search for a6fc95a5b288593c9559bd177ec43bf9b30d8a98cf19e82bf5a1ba5600857f04 on virustotal.com if the link has expired. So, I submitted a false positive report, uploading the exact file and got the following message back: "Result: This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures. Please correct the above errors and retry. Thank you for helping the ClamAV project." I have since manually updated ClamWin with the latest daily.cld and rescanned sol.exe, but got the same result. Is this just an FP report site glitch or is something else going on? |
|||||||||||
|
|||||||||||||
 |
| |
|
GuitarBob
|
|
Okay. Perhaps the Virus Total copy of Clam AV did not have the latest update, so give it another couple of hours and then do a rescan. Also resubmit to Clam AV--perhaps the signature is very recent, and the Clam user submission interface was not synchronized. If it is still not detected by anything else on Virus Total, is detected by ClamWin but not detected by the Clam submission, get back here.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
typojinx
|
|
I've checked Virus Total again with the same file that was originally uploaded and it's coming back clean.
Thanks for your help! |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
So it was all because of timing, eh? Most of the Clam signatures are now automated, and there will be a certain amount of false postives because of that--every signature is done the same way regardless of the specifics of a file. Thankfully, ClamWin has some protection against quarantine of important system files. Keep on reporting all false positives though.
Regards, |
|||||||||||
|
|||||||||||||
|
 | False +ve says not detected by ClamAV, VirusTotal says it is | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.