Hello I've a large collections of FOSS and every time I download I scan throught virustotal & clamwin from pc.
All of them I scan use to be green and undetect by any antivirus & I scan repeat countless times.
But today I've found out and unexpected results from Clamwin.

Here's my detection report:
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\AnVir Task Manager_7.5.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\APK Icon Editor_0.6.exe: Win.Trojan.11366268 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Ares Galaxy_2.2.7.exe: Win.Trojan.Banker-14020 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Bandizip Admin_3.11.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\BitComet_1.37_x64.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\BitComet_1.37_x86.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Crawler Classic Start 8_1.0.0.16.exe: Win.Adware.PCFixSpeed FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Dr.Memory_1.7.0-5.exe: Win.Adware.Linkular FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\FlashPeak SlimBoat Browser_1.1.50_x86.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\FlashPeak SlimBrowser_7.00.101.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Foobar2000_1.3.2.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\GetGo Download Manager_4.9.0.1982.exe: Win.Trojan.11366268 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\K-Meleon Web Browser_74.0 Beta3.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\MyFlare A.K.A. CX(2GB Storage).exe: Win.Trojan.11366268 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\NTWind VistaSwitcher_1.1.5.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\PCloud Sync XP(20GB Storage)_1.1.3.exe: Win.Trojan.Generickd-77 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Piriform CCleaner Slim_4.15.exe:Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Piriform Defraggler_2.17.898.exe:Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Piriform Recuva_1.50.1036.exe:Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Piriform Speccy_1.25.674.exe:Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\PortableApps.com_11.2.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\QupZilla Web Browser_1.6.3.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Rainmeter_3.0.1.2151.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Rebaslight Special Effects_2.1.1.exe: Win.Trojan.Generickd-77 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Rebaslight_2.1.1.exe: Win.Trojan.Generickd-77 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\RetroShare_0.5.5c 7261.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\SMPlayer_0.8.6_x64.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\SMPlayer_0.8.6_x86.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\SMPlayer_14.3_x64.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\SMPlayer_14.3_x86.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Steam_2.0.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\UMPlayer(By SMPlayer Team)_0.98.2_x86.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Universal USB Installer(Linux Installer)_1.9.5.2.exe: Win.Trojan.Domaiq-40 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\VideoPsalm_1.14.0.14022.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\VirusTotal Uploader_2.2.exe: Win.Trojan.Generickd-77 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Wacom Bamboo Dock_4.1.exe: Win.Adware.Agent-6998 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Winamp_5.6.6.3516.exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\WinTVCap_GUI_3.6.8.exe: Win.Trojan.Killfiles-323 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Wuala(5GB Storage).exe: Win.Adware.Adgazelle-1 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\XP Codec Pack_2.6.4.exe: Win.Trojan.Agent-709498 FOUND
D:\Storage\Windows Apps\Program Installers\Exe\Win2000 & Above\Zim Portable(Text Editor)_0.60.exe: Win.Adware.Adgazelle-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3494098
Engine version: 0.98.1
Scanned directories: 1
Scanned files: 1047
Infected files: 41

Data scanned: 24139.96 MB
Data read: 15932.82 MB (ratio 1.52:1)
Time: 5065.255 sec (84 m 25 s)

--------------------------------------
Completed
--------------------------------------


I've got some clues that I've gather from my intel:
1. Adgazelle has it's website officially: https://adgazelle.com/
2. Adgazelle is one of the PPI(Pay-Per-Install) provider same to those likes of:
OpenCandy, InstallCore, InstallQ, Somoto Inc, InstallMonetizer, Spigot
the true culprit that pull strings behind these Adware Bundles.
3. All of those providers above always detect by ESET AV engine. ClamAV/Clamwin can detect some of them.
4. Right now none any other AV engines from virustotal can detect Adgazelle only ClamAV engine can do.
5. I've compare detect from my Clamwin PC & Virutotal they're perfectly matched.
6. Compare to other PPI Adgazelle is the most harmless PPI among them and less than OpenCandy
because I never found any bundles after install these installers at all.
Maybe Adgazelle is just track only installing statistics while other PPI contain physical software bundles.
7. Most of these detections are freewares very less amount to detect from open source.
8. From 1047 files are all files that I scan from virustotal & they're all green & clean from 0/54.
9. ClamAV engine start to able to detect from these 41/1047 by 2 months ago.

So I'd like to ask to make sure if this is really an adware or false positive?
If this is a real adware that would be a new adware discovery since Clam is the first one who detect Adgazelle.
and I never thought that Bitcomet, Piriform CCleaner, SMplayer, Foobar, Winamp, Wacom, Steam are that sneaky.
I even sure that Winamp last version was already remove opencandy but still they put another PPI Ow.... that's sneaky~.
Wacom another one they're reliable mouse pen drawing company & Steam is unavoidable.

There is so much adware out there now that some AVs do not detect it unless it is really bad. I think that Eset (Nod32) and Dr. Web are the best AVs for detecting adware. I would go by what they say on Virus Total. I also use the Wepawet site at https://wepawet.iseclab.org/ on the web to test Windows executables that are hard to identify as safe or bad.

If ClamWin suddenly starts detecting a file as infected and the file has not changed in a while, it is probably a false positive detection. If you suddenly get a bunch of the same detections, it is probably a false positive. If possible, submit false positives to Clam AV (ClamWin uses the Clam AV engine) so they can correct the signature.

If you are not sure something contains adware, look at where you got the file--stay away from questionable sites.

Thanks for using ClamWin!

Regards,

I wonder if this has anything to do with the email signatures I got from ClamAV. All of them were sent today, too. 13 emails were sent today from ClamAV saying virus database updates (unusual because usually they only have like 7 max a day). 8 of them are saying [WARNING: A/V UNSCANNABLE] (unusual because I have never seen this before as long as I have used ClamWin). I am wondering what is going on with their database today. This might be why you are having adware issues on your system.

RRK: I no longer get email notices from Clam AV about signature releases. There appears to be some sort of problem at Clam AV based on the message you received. Try to inform Clam AV about this if you can. There is a contact link on their web page. Try email to jesler@sourcefire.com if you can't find anyone. Joel Esler is the Clam AV open source representative.

Regards,

Wait. I found out the issue. The emails I got were all from different databases from different days. For some reason, I seem to got all of them today. I got three from June 25th, 3 from June 27th, 1 from June 30th, 1 from July 1st, and 1 from July 3rd. I will try contacting ClamAV as to why this happened and I will reply back here with their answers.

Strange...

Regards,

I think it's ok to keep Adgazelle to be detect. I'm afraid that if I submit this as false positive.
ClamAV/Clamwin will unable to reveal the mastermind who's behind Adgazelle anymore.
Because Clam's detection that's why I discovered that Adgazelle is one of those PPI(pay-per-install) companies.
I've researched that Adgazelle is one of the newest company that cannot detect by any antivirus yet(except Clam)

From my viewpoint is:
It's really adware.........But it's harmless.
because they aren't offer any bundle software like OpenCandy at all.
It's just they record statistic from user installings & commission to the program creators.
Also if any installer revealed PPI(pay-per-install) companies it's 100% to confirm that it contain adware inside.
Since some freeware programmers start to starve & cannot wait for donations so they
start to make money from PPI instead. That's the real cause why each freewares start succumb into greywares.
Also some open source software start to succumb as well like: DVDstyler, Camstudio, Frostwire <<<avoid them all cost.

So I leave my research & clues for Clamwin/ClamAV to decide which.
My case it's too complicate to decide as false positive because it's harmless.
But it's good to detect to know which installers are "AD Supported Software."
Now I know that these installers that Adgzelle are "AD Supported Software."

PS. However I'll submit Win.Trojan.Generickd-77 as false positive instead
because it's impossible for virustotal uploder to be trojan.

As I mentioned, a lot of AVs do not detect adware unless it is really bad. In fact, some free versions of commercial AVs install toolbars and change your search engine. The general feeling in the AV community is that if the user is notified of this during installation or can check a block to opt out, then it is not adware. You should read the installation information/notes carefully before installing anything.

Thank you for your research.

Regards.

Well most of them aren't adware at all. I do know sometime long ago stuff like crawler and foobar2000 were detected by many anti-viruses as adware. Not to sure if they still are today. Anyways still haven't gotten an email back from ClamAV about the email issue.

Joel messaged me back (not very talkative it seems). He told me there were stuck in the queue. I guess my issue didn't have anything to do with this. Sorry for the misunderstanding.

I imagine Joel is pretty busy. He's okay--committed to open source, but he has a lot of hats to wear.

I'm continuing to see some false positive infections from ClamWin that are not detected by the more recent Clam AV version on Virus Total--I wish the developers would get us a ClamWin .98.3 or .98.4 beta soon. Clam AV can not do anything about this--the detection is only on the ClamWin side due to the current old version we are using. The old Clam AV team helped us out in a similar situation in the past, but we don't have the relationship with the current team now.

Regards,

Ported over OpenSSL is probably not easy to do considering it is new to everyone. That's probably why there is such a long delay. I have always wondered, though, what will happen to ClamWin if ClamAV shuts down or no longer is an open-source product? Would ClamWin shut down or just take off where they last left off? Hopefully the ClamWin team has signature makers and can continue to build off the scan engine, considering they are more use to just porting over the ClamAV one.

The ClamWin team consists of the 2 part-time developers. Sherpya handles the ports, and Alch does everything else. I try to help out here on the web site, and there are a handful of beta testers. There are no sigmakers or other staff. If Clam AV shut down or changed status to something else besides open source, I think ClamWin would have to shut down due to lack of access to Clam AV for new virus signatures and new detections. On the other hand, Andrea has configured Clam Sentinel so that it can operate in heuristic mode without ClamWin and the Clam AV signatures.

In my opinion, loss of signatures and new Clam AV "detections" would not affect user security too badly. Even without the Clam AV signatures, the Clam Sentinel heuristics would still detect 70-90% of existing/new Windows PE file malware for the forseeable future. Andrea might have to add some detections for non-PE malware, such as PDF, Office malware, and javascript malware. He tested Sentinel with the Bitdefender signatures a couple of years ago but decided that there was a potential problem with Bitdefender being a commercial AV. He might be able to get Microsoft to let him use the Microsoft Malicious Removal Tool signatures to supplement the Sentinel heuristics. Where there is a will, there is a way!

Regards,

Hope the best of luck for Andrea and Clam Sentinel.

By the way, ClamAV released another beta version for .98.5. https://www.clamav.net/lang/en/2014/07/08/clamav-0-98-5-beta-has-been-posted/ It will be another month before .98.5 becomes stable. Does this mean another delay before the next ClamWin update? It looks like it is just meant for file collecting for their byte code. Doesn't seem to important but maybe ClamWin should do .98.4 and then do a .98.5 version since they are 3 versions behind.

Yes, it is hurting the false positives a bit now for ClamWin to be behind Clam AV in versons. Most likely the developers will do a version .98.4 port. Alch is away from his home in Australia for a couple of more weeks. He wanted to compile Sherpya's version .98.4 port while away but hasn't done so yet--maybe too busy or maybe he needs access at home. After he returns, we will get some sort of port, and we should shortly know more about progress on the ClamWin real-time scanner then also. A RT scanner will be a step in moving a bit away from Clam AV dependency--you could build some independent detection techniques around it. Andrea will have to change Clam Sentinel a bit because he presently does a heuristic scan and then a ClamWin scan. If ClamWin goes real-time, he will probably have to reverse them, as the ClamWin RT scan will offer better file control than the technique he has been using and it is a better sequence with signatures first. He had to do it that way because there is presently no file control with ClamWin--it's an on-demand scanner.

Regards,