 | False Positives |  |
|
thebrain
| Joined: 04 Dec 2014 |
| Posts: 0 |
|
|
|
 Posted: Fri Oct 30, 2015 7:58 pm |
|
 |
 |
|
|
Getting report from scheduled scan of a virus, but each time it's one of ClamWin's own temp files.
C:\DOCUME~1\bhenson\LOCALS~1\Temp\clamav-226b2afbe646a709a1b9848ce6d6fe05.00001724.clamtmp: W32.Virut.Gen.D-148 FOUND
I tried adding *.clamtmp to the exclude list but it still complains about these files each time.
Running ClamWin 98.7
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Fri Oct 30, 2015 11:38 pm |
|
|
|
|
|
Strange!
I don't know if it will help but try excluding the full location:
C:\DOCUME~1\bhenson\LOCALS~1\Temp\*.clamtmp
Regards,
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Sat Oct 31, 2015 2:30 am |
|
|
|
|
|
Would be best to upload the file to virustotal. Then submit the file and virustotal report to ClamAV false positive support here: https://www.clamav.net/contact
However, I think some of these false positives are happening because of incompatibility with the YARA and Snort rules that are being introduced in .99. The YARA and Snort rules do not work with .98.7 and under.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sat Oct 31, 2015 2:39 am |
|
|
|
|
|
Virut is an old virus now, and I'm sure the authors have moved on. The Clam AV Virut signatures were subject to many false positives.
Regards,
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Sat Oct 31, 2015 7:40 pm |
|
|
|
|
|
That looks like a generic signature. I didn't know ClamAV was writing generic signatures. Would explain why I haven't seen any new bytecode signatures in a long time now. Generic signatures can last weeks to months before it would need to be updated. Generic signatures can detect families of malware.
|
|
|
 |
| | |
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sat Oct 31, 2015 8:24 pm |
|
|
|
|
|
Problem with the generic stuff is that it should be really tested extensively. Clam AV does not/did not have many Windows system/app files on its false positive farm, so the Virut sigs always zapped valid Windows files (Office, some system files) that had been changed since the last Virus sig. Clam was always so glad to get the latest Virut sig that they never bothered to change their very simple Virut signature process. There's more to a good generic signature than wildcards! Every Clam Sentinel heuristic signature is a generic signature which can detect a very broad category of malware.
Regards
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Sun Nov 01, 2015 12:34 am |
|
|
|
|
|
Well I don't know how true that is today, but at least ClamWin has a false positive safe guard for valid digitally signed Microsoft files.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sun Nov 01, 2015 12:38 pm |
|
|
|
|
|
I haven't seen it yet (in ClamWin's v.98.7) as of about a week ago. ClamWin had this protection years ago. Clam Sentinel starting using digital sigs in its detection process when Clam AV was scared of them back in 2012.
There's more to a good generic sig than a few wildcards. That is 2008 technology.
Regards,
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by
phpBB © phpBB Group
Design by
phpBBStyles.com |
Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
