Hi,

For the first time since I installed Adobe Photoshop CS2, I get an alert for Win.Trojan.Ramnit-2068 in file c:\Program Files x86\Adobe Photoshop CS2\BIB.dll and an alert for Win.Trojan.Ramnit-2070 in file c:\Program Files x86\Adobe Photoshop CS2\epic_regs.dll (I have my apps in c:\Program Files x86 instead of c:\Program Files (x86)).

Does anyone else suddenly have seemingly false positives for Ramnit? Should I take this warning seriously or not? The file date didn't change (some date in 2005).

Any info about this is welcome.

Kind regards,

Mark

It seems like someone mentioned a Ramnit detection some time ago--maybe in the last 2/3 months, but I don't recall whether or not it was a false postive. To be save, you should regard any detection as a virus until you find out otherwise. If the file has been on your computer and you have used it recently without any trouble, and it has not been changed, it is likely a false postive. I wouldn't try to guess, however, so I recommend you scan it with Jotti or Virus Total online. If a couple of other AVs detect something besides the Clam AV engine we use, then it is likely a real infection. If Clam AV is the only AV detecting something, then it is likely a false positive. I like to see 2 of these AVs detect something: Avira AntiVir, Bitdeffender, Eset Nod 32, Kaspersky, or Sophos.
Regards,

Mark - I have just started to get ClamWin - Infected files report within Adobe Bridge and Photoshop (CS2)
re
C:\Program Files\Adobe\Adobe Photoshop CS2\Bib.dll as Win.Trojan.Ramnit-2068
C:\Program Files\Adobe\Adobe Bridge\epic_regs.dll Win.Trojan.Ramnit-2070
C:\Program Files\Adobe\Adobe Help Center\OperaMgr.dll Win.Trojan.Ramnit-2073
C:\Program Files\Adobe\Adobe Photoshop CS2\ARE.dll: Win.Trojan.Ramnit-2074
I checked to older backup files upon which ClamWIn (2 months ago) did not report any infections - it now reports the infections on the old backup files. So it is not down to new files entering my computer. I've had Photoshop CS2 for about 8 years and now ClamWin has decided that some of the files are an infection!

I suggest you upload those false positives files to Clam AV. Select the submit a file menu item, and then select the false positive report menu item. Clam will correct their signature and all ClamWin users will benefit. It might take a week or longer for someone to manually correct things, so configure ClamWin to ignore those files as excluded file names under the filters tab until the signatures are fixed.. It might speed things up if you scan the file with Virus Total--Clam seems to give some sort of preference to VT files.

Regards,

I have been using Clamwin for numerous years and was surprised to have false positives as well. Generally I take false positives as real rather than take chances with something compromising my system and security, other antivirurals did not agree with Clamwin.

If you get a few detections that are close together in number (Win.Trojan.Ramnit-2068 and Win.Trojan.Ramnit-2070), that is sometimes an indication that they are false positive detections. If you veriy false positives with the Virus Total online scanner, Virus Total can give you additinal information about a file--such as when it was first detected. New malware files are often not detected by many AVs for a while, but most infected files should have lots of detections by the time they have been longer tehat a week. One caveat: most AVs do not do a good job of detecting non-Windows PE files--such as HTML, JS (javascript), and Office-type files (doc/docx/xls/xlsx/ppt/pptx/rtf), so I do not require very many AVs to detect them like I do Windows PE files (most PE file infections are on EXE/DLL files).

Regards,

Thanks for your replies. Now I even installed a version of Photoshop, which came straight from Adobe's servers. Again, Clamwin reports:



I'll try to report this as a false positive.

Many thanks to those who have reported seeing similar sudden virus detections. No thanks to those who state the obvious by telling me that I should be careful and treat false positives as real (because that's really not helpful).

Kind regards,

Mark