For file DNSAPI.DLL I get a False Positive warning during a memory scan but not during a scan of the System32 folder where it is located. Does anyone else experience this? There may be a couple of other files like this as well.

Regards,

I am not getting this issue during memory scan or if I scan the system32 folder. I think these false positives are coming from the YARA and Snort rules that are being added to .99 and they are producing so many false positives because they are not compatible with versions under .99. I suspect ClamAV will end up dropping everything under .98, then will drop .98 after 1.0 comes out because of this.

Neither I nor Virus Total (no Clam FP there) are using v.99 at the moment however, so I don't think this is the cause of the problem. I think it's the ClamWin mem scan, which gives a different treatment than the regular clamscan.

Regards,

What I meant was, the reason why these false positives rules are happening is because you are not using .99, which is where the YARA and Snort rules are being added to. The YARA and Snort rules may not be compatible with versions under .99 (like .98.7, .98.6, .98.5, etc) Unless these rules are not added as signature files, then this would be why were are getting false positives.

Could be, RRK. I recall that one time ClamWin gave so many FPs after a new version of Clam before the ClamWin developers could incorporate the new version that Clam AV came up with some special sigs to prevent the FPs. Wish we still had that kind of relationship.

Regards,