Greetings all:

ClamWin .98.7 (installed version, latest definitions, Win XP Home SP 3) is alerting on C:\WINDOWS\system32\write.exe as Win.Trojan.Agent-866396. OK, a false positive. The scan report says: The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses... The problem is that the file is not digitally signed so this message should not appear. I have submitted the FP to ClamAV for correction. Is there a solution for the erroneously detected Microsoft Digital Signature?

https://virusscan.jotti.org/en/scanresult/fd414dcced4d437c5e65caec85b7d0e384defe1f
https://www.metascan-online.com/en/scanresult/file/d6dac63ae5a849c2a0f78506b624640b

PS This behavior is confirmed by an installation of ClamWin Portable on a flash drive.

Hello Lipper:

It's good to hear from you! See if you can find a digital signature in the file. Right click on the file and select properties to bring up the properties screen. Click on the Digital Signatures tab if it has one. Then click on the signature and verify it. If the file has a digital sig, it will have a tab for it on the properties screen. Did you check the file on Virus Total?

I think the digital signature check is a ClamWin function. As far as I know, the Clam AV team still refuses to verify digital signatures and uses them in a different way than ClamWin/Clam Sentinel. I'm not sure, but I believe they use a black list of "bad" digital sigs. Clam AV is still scared of digital sigs since one is stolen once in a while. Potentially unwanted advertising files are using them more and more, but at least 90% of valid digital signatures still indicate a "good" file, which is good enough for me.

Regards,

Good morning, GuitarBob:

Yes, it has been too long. We will catch up soon, I promise.

There is no tab for Digital Signatures in file properties, which is what I based my statement on. I found one reference online that said a file with the same hash, but named A0006652.exe, was digitally signed. And yes, I did submit the file to VirusTotal. The link is: https://www.virustotal.com/en/file/59867183f02d0e1236589b721ed67fdc384c93341909966fd2564cccb441d88d/analysis/

As ever,
Lipper

Don't forget about me, haha.

As for the FP, you can exclude the file for temporary and remove it after ClamAV patched it. The ClamAV team has been working on improving ClamAV. .99 has added some major detection improvements and my only hopes is that 1.0 or whatever major version comes after 1.0 will have some scan performance improvements, probably cloud services.

The link you gave shows the file is in Microsoft's trusted catalog of files, so it is definitely a false positive. It is definitely a ClamWin detection, so submit it to Clam AV as a false positive so they can update their signature or whitelist it. In the meantime, you can temporarily whitelist it in your local copy of ClamWin--it may take Clam some time to get around to whitelisting.

Below is the whitelist format.

MD5hash:filesize:SID#_filenamenoextn With no submission ID, you can use MMDDYY for the Submission ID # but keep the underscore as a separator. Do not use an extension--just the filename.

example: 8fb6c6e66968ccad84ade2df9fea3a9a:18330984:7728603_excel

Regards,

No, I wouldn't do that.

Thank you both for replies. I'm a little confused (well, I'm actually alot confused LOL). @Bob: Are you saying that ClamWin is accepting Microsoft trusted file status in lieu of a digital signature, and this is why ClamWin is not quarantining the file?

To explain my posts better, ClamWin is alerting on the file but exempting it from quarantine because of a digital signature I don't see.


Scan Started Thu Jul 02 17:25:37 2015
------------------------------------------------------------------------------
----------- SCAN SUMMARY -----------
Known viruses: 4298747
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 1.00:1)
Time: 107.329 sec (1 m 47 s)
The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:
C:\WINDOWS\system32\write.exe: [Win.Trojan.Agent-866396] FALSE POSITIVE FOUND
Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at https://www.clamav.net/sendvirus/
--------------------------------------
Completed
--------------------------------------

Edit: To reduce size of scan report.

I just looked up the file on my system. The copyright is from Microsoft cooperation, so maybe that is why it detected it as a false positive. ClamWin has a feature to flag all valid digital signature files as false positives.

Yes but is a copyright the same as a digital signature?

No, Lipper. I'm saying that ClamWin detected the file as malicious based on the Clam AV signature, but ClamWin has protection against quarantining valid digitaly-signed Microsoft files. I know from my work on Clam Sentinel that there are two types of digital signatures. One type is appended to the file and the other is embedded within the file. It appears that there is no digital sig embedded in the the file (to be detected via Properties), so it must be appended, and, apparently, ClamWin is set up to detect both types of digital sigs--just like Clam Sentinel.

I'm not privy to the ClamWin protection, but I believe it only pertains to Microsoft files, while Clam Sentinel looks for all digital signatures.

A copyright is not the same thing as a digital signature. A digital signature is issued by a signature authority after verifying the file/developer is okay. It costs money, of course, and some certificate authorities are better/more honest than others. A lot of adware has a valid digital signature, so they are not always "good", but, as I said, 90% is good enough for me. Clam Sentinel has an option to ignore any file with a valid digital sig, which isn't a good proactice.

See if an unofficial whitelist for the file in ClamWin overrides the Clam AV signature. If Clam AV can't/won't do anything about this detection, you might need an unofficial whitelist item. You can get the MD5 hash and file size for the whitelist item from the Virus Total information.

Regards,

OK Thank you for a clear explanation. Using your method for whitelisting is unsuccessful. Adding write.exe to the ClamWin filter is also unsuccessful. For giggles, I extracted the executable, but there's not much to it at only 8646 bytes. I will live with it until ClamAV does their part. Thanks again and Happy Fourth to all!

Lipper, the whitelisting method should work. It is the same as Clam AV uses. I think I forgot to tell you to save the file with a dot fp extension (I use Sigfile.fp).

Regards,

Eureka! You're a genius, Bob! The finishing touches did it. I'm only adding it to the installed version of ClamWin. Then, I can use ClamWin Portable to test when ClamAV corrects their signatures. Thanks again, bud.

Lipper

Glad your issue was fixed. Let us know if you need anymore support.