 | Suspect DoubleExtension |  |
jimswen
Joined: 19 Jun 2013 |
Posts: 0 |
|
|
 |
Posted: Wed Jun 19, 2013 8:48 pm |
|
 |
 |
 |
 |
Hello. I've been using up-to-date ClamWin on my WinXP machine,
but lately I'm drowning in "Suspect.DoubleExtension-zippwd-15 FOUND" messages.
Something about scanning zip archives is generating false-positives regularly.
If I manually extract the whole zip file, the resulting folder is always found to be clean.
I modified one such zip archive,
(extract, remove all two shortcuts ".txt.lnk" , ".pdf.lnk", re-zip)
and then it scanned as clean.
(The targets of those shortcuts were also included within the archive.)
I made a complementary modified archive,
removing all items except the shortcut, the targets, and the folders they were in.
The targets were eviscerated, reduced to a few readable text bytes each.
It remained SUSPECT.
So I think the scan is objecting to any shortcut stored in a zip archive.
This is going to be a problem for me, if that message cannot be suppressed.
I tried adding an exclusion for "*.lnk", but the SUSPECT message remained.
Am I missing something?
|
|
 |
 | |  |
GuitarBob
Joined: 09 Jul 2006 |
Posts: 9 |
Location: USA |
|
 |
Posted: Wed Jun 19, 2013 10:17 pm |
|
 |
 |
 |
 |
The detection is actually for a zipped file that contains a double extension. In other words. something like: filename.txt.lnk. I see this detection frequently when working signatures for malware. A double extension used to be very indicative of malware, but lately, lots of legitimate files seem to be using double extensions (including Microsoft). They should not be using double extensions, as a double extension was one of the first heuristics employed by the antivirus companies. However, they often ignore security implications (heavy packing, sloppy .dll files, etc.) and make it difficult for the AV companies.
I suggest you exclude the exact double extensions you do not want scanned in ClamWin's Preferences, Filters, Exclude Matching Filenames. Use *.1stExtension.2ndExtension. Examples: *.txt.lnk and *.pdf.lnk. That should solve your problem. It's probably not a good idea to exclude all double extensions.
Regards,
|
|
 |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by
phpBB © phpBB Group
Design by
phpBBStyles.com |
Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.