Hello,

Yesterday I did a virus scan on the PortableApps folder where ClamWin found Win.Trojan.Agent-723879 in all portable apps launchers. This is 21 apps. One thing that makes this strange is that most of the apps has not been used in a while.

Could someone with portable apps please check if you also get the same results?


Thanks,
LaurentZG

Just updated the definition files and did a new scan. This time I didn't get any positives at all. So guess it has been corrected.

Anyhow if anyone could please confirm what I just wrote, that would be nice.

Thanks

I would help you out, but I really don't trust portable apps well enough to be on my system. Although, if ClamWin is no longer detecting it as infection, as it was in a previous database, it's most likely a false positive. You can always send files through virustotal to get better results.

Thank you very much for your reply Rock'n'RollKid.

Regarding virustotal I got more than one hit. Is it this one: virustotal.com ?

Could you please elaborate on why you don't trust portable apps well enough to have it on your system?

The url is www.virustotal.com You can upload the files there.

For portable apps, I don't trust them because its some random people making the apps instead of the actual developers. For instance, the portable version of ClamWin on portable apps was created by different people and not the actual developers of ClamWin.

I have no way of knowing this, but I do think that the portable apps people who tie all the different portable programs together to put under the portable apps umbrella do check the software before it is released. All they have to do is scan with a couple of good AV programs.

When you suddenly get a ClamWin detection on files that have not been used for a while, or when you suddenly get the same detection on different files, it is most likely due to a false Clam AV signature. I see there are some new sigmakers at Sourcefire/Cisco that have been assigned to work (part-time, I'm sure) on Clam AV signatures. Some false positives will result. In addition, When I was working signatures for Clam AV on behalf of ClamWin, they did not have a large database of clean programs on their false positive "farm." This is not a big thing at Clam AV--because false positives are not a problem in the Linux environment for which Clam AV is really designed, and they simply refuse to recognize that there is a Windows environment in which their signatures are used!

Regards,

I just did a scan with ClamWin and noted that there are 4 "good" files it detected. Two of them are not detected by Clam on Virus Total, so if the Virus Total Clam AV definitions are up-to-date, this means that they are detected because ClamWin uses the version .98.1 Clam AV port--the new version .98.4 Clam AV port has not yet been developed. Clam AV can not do anything about this--you will have to whitelist them in ClamWin (and Clam Sentinel also if you use that) until ClamWin finishes the Clam AV version .98.4 port. The other two quarantined files are true Clam AV false positives that are only detected by Clam AV on Virus Total, and I will report them to Clam AV.

Anything you whitelist in ClamWin should be whitelisted in Clam Sentinel also if you use it because Clam Sentinel uses the ClamWin signatures also. However, Clam Sentinel "suspicious" detections can only be whitelisted in Clam Sentinel--Clam AV can not do anything about them.

Regards,

I did notice a few emails I got for signatures on ClamAV were sent from some people I never seen before as long as I have used ClamWin. I also did notice an increase in sigatures, including some exploit signatures, count over these past weeks. Maybe the merge with Cisco and Sourcefire wasn't such a bad idea after all.

The merge can be a good thing if Cisco is committed to open source. However, they have a past record of taking but not giving back where Clam AV is concerned. They seem to have some new sigmakers lately that are probably being broken in on Clam AV signatures--I have seen a rash of new false positives on old files lately because of this. I doubt if you will see any substantive improvements in Clam AV that will compete with their commercial offerings. They do not realize that a free, open source AV can be an aid to improving their commercial stuff if handled right. Look at Panda Free Cloud.

Regards,

Hello LaurentZG,

I am glad you posted about this cause' I had the same experience. There are several portable application bundle/suites out now days. I use portable apps from John Hallers site Portableapps.com. I just recently scanned my drive and found that the log entry,"Win.Trojan.Agent-723879 FOUND" was associated with each and every %*Portable.exe file on my flash drive. I have more than 185+ apps on mine. I always keep them up to date, and before using any of the security apps I always download the latest definition files.

I found the consistency of infection suspicious as well, especially because ClamWinPortable.exe was among the many "infected" files.

A scan with MalwareBytes Anti-Malware yielded no problems found.
A scan with SAV yielded no problems found.
Spybot S&D2 gave no problems either.
I ran some through https://www.virustotal.com and everything seemed clear.
Currently waiting results on herdProtect.com (by the way ClamAV, the engine ClamWin uses, is part of that group)

If I get time I will rescan but it looks like it may have been a fluke, possibly in the def file.
It sure has thrown me for a loop though; in the same way a near miss car accident makes one drive more safely.

Feedback appreciated.
-er

"pay it forward"

Multiple detections of the same virus/malware is almost a certain indication of a false positive. You don't have to send all those detected files to Clam AV for signature correction--just send 1 or 2 files and indicate in the remarks section of the false positive submission form that there are many other detections of the same virus. It might also help to upload 1 file to Virus Total, since Clam AV relies heavily upon it for verification.

Regards,

Suddenly got a bunch of false positives.
I updated 1st...did scan and got 4 virus descriptions. I confirmed with AVG and Norton and they show no hits (usually AVG is bad about false positives. Then did Virus Total (thanks to RockNRollKid for the link). Must be a fluke. This is unusual for ClamWin.

version 0.97.6
update 09:21 17Jul2014

I have been getting a few unusual false positives lately--Panda Free Cloud AV and ClamWin Portable, for instance. I am using the latest available version of ClamWin--.98.1. I have checked some of them on Virus Total, and they are not detected by Clam AV there. Therefore, I think this is due to ClamWin not having the latest port of the scan engine from Clam AV--.98.4. There is some new functionality in .98.4 that the ClamWin version .98.1 can not handle, so it treats such a file as a detection. This has happened a bit in the past. Back then, Clam AV made some changes in its signatures to help us out, but we do not have a close relationship with the Clam AV team any more, so this is something we will have to live with for a while. We may not even be able to blacklist these files to prevent these false positives. If you get a ClamWin detection in a file that has not changed in a while, then it is probably one of these false positives. Of course, it could also be due to a faulty current Clam AV signature, so check the file out on Virus Total to see if there is an actual Clam AV detection there. See if you can whitelist it for ClamWin, but don't be surprised if it is detected even then.

A ClamWin port is in the works, but it needs to be released to the beta testers and tested first, so it will be a while before we users get it.

Regards,