ClamWin Free Antivirus :: View topic - The scanner screen/list is overflowing and real threats lost

Posted: Wed Oct 30, 2019 5:26 pm

The scanner screen/list has limited number of rows. It is overflowing and real threats are lost. Save to file will not help.

Code:

WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\abb70b1d5b77d9532ec10e5b1e9ffaaa_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ac4502711c800aef18ffeaa6c7ec03ef_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ac4efbfddc0f0ccbebf1f2ff4562f5e7_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\acc0ebedba11a3cfd6cfddb1fdd2739f_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ad1599e9e5e955a65b4eddaf1a13d8fc_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ae156c499a90dc948e6f7e22f53752bb_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\aec30765a55763c39fac3520405fef4a_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\af48ba645f7f4be46399a7d6c21d05f3_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\af927790bdced062f3646438418be03b_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\b063459a791f8d48d3934b98260e1c1d_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\b0a88c72ca16f8743c423feb45c10aa5_59d6d36f-24c6-4261-ab8d-499d0605b7a4: Permission denied

It is too bad, because only 182 lines is preserved Sad

. Please enlarge number of rows to at least 1000.

Posted: Wed Oct 30, 2019 7:47 pm

Do you need to see the scan results during a scan? Can you look at the scan log to see scan results after the fact? If you have the infected file option set to Quarantine, any threats will be quarantined.

Regards,

Posted: Wed Oct 30, 2019 8:46 pm

GuitarBob wrote:

Do you need to see the scan results during a scan? Can you look at the scan log to see scan results after the fact? If you have the infected file option set to Quarantine, any threats will be quarantined.
Regards,

I have found a lot of false positives inside system files.
They are printed as blue and clamwin asks me to send them. It means that Microsoft's digital signature is valid and ensures file integrity - I understand this such a way. The only possible way for infection would be if the Microsoft's certificate has been stolen and misused by hackers.

Putting system files to quarantine will completely corrupt operating system.

Code:

Windows\Installer\$PatchCache$\Managed\348E4C01622CFDF3D96D4F3E72E537D4\4.7.3062\aspnet_wp_exe_x86: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
dows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\v4.7.03062\CSY\Setup.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\v4.7.03062\CSY\SetupUtility.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\v4.7.03062\Setup.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe: [Win.Virus.Memery-7358544-0] FALSE POSITIVE FOUND
WARNING: Can't open file C:\Windows\Panther\UnattendGC\diagerr.xml: Permission denied
WARNING: Can't open file C:\Windows\Panther\UnattendGC\diagwrn.xml: Permission denied
WARNING: Can't open file C:\Windows\PLA\System\System Diagnostics.xml: Permission denied
WARNING: Can't open file C:\Windows\PLA\System\System Performance.xml: Permission denied
WARNING: Can't open file C:\Windows\security\database\secedit.sdb: Permission denied
WARNING: Can't open file C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb: Permission denied
WARNING: Can't open file C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: Permission denied
C:\Windows\System32\MFC71CHT.DLL: [100%]

I really need to enlarge table for more rows otherwise scan result top rows are lost.

Posted: Thu Oct 31, 2019 12:40 am

I do not think Microsoft's cert has been stolen or is invalid. These look like normal system files that are falsely (erroneously) detected due to a bad Clam AV signature. The Clam AV project has an antivirus that is used by Linux email servers. The ClamWin developers prepare a Windows port for the Clam Av Linux code, and ClamWin also uses the virus signatures prepared by the Clam AV project. I recommend that you send one file to Clam AV at https://www.clamav.net/reports/fp on the web. Clam AV should correct their signature within a week or so. You only have to send one file because the false positive detections all seem to be for the same signature. When you get a lot of detections for the same virus, that is a pretty good sign of a true false positive.

These warnings of false positive detections were developed by the ClamWin developers several years ago when we were getting a lot of false positives from Clam AV. You could actually just ignore the false positive detections, but I suggest you do what I said above.

Thanks for using ClamWin!

Regards,

Posted: Fri Nov 01, 2019 12:00 am

GuitarBob wrote:

I do not think Microsoft's cert has been stolen or is invalid. .....Regards,

Yes, I will do it.

But I have asked in this thread for table to enlarge amount of available rows. The current limitation is very tight without any reason.

Posted: Fri Nov 01, 2019 2:47 pm

I will pass this on to the developers; however, they are reluctant to make any change to ClamWin. In fact, they have not updated ClamWin for over a year now, and there have been several new updates of Clam AV.

Thanks for using ClamWin.

Regards,

Posted: Sun Nov 10, 2019 4:41 pm

GuitarBob wrote:

I will pass this on to the developers; however, they are reluctant to make any change to ClamWin. Regards,

Thank you very much.

I simply guess that amount of lines is in one hardcoded number e.g. property of the widget.

The table is still overflowing:

Code:

----------- SCAN SUMMARY -----------
Known viruses: 6534469
Engine version: 0.99.4
Scanned directories: 226255
Scanned files: 1881388
Infected files: 6

Total errors: 9
Data scanned: 237623.40 MB
Data read: 258151.95 MB (ratio 0.92:1)
Time: 55664.946 sec (927 m 44 s)

The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:
C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe: [Win.Virus.Shodi-7131944-0] FALSE POSITIVE FOUND
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bootstrapper\Packages\WindowsInstaller4_5\WindowsXP-KB958655-v2-x86-ENU.exe: [Win.Virus.Sality-6725482-0] FALSE POSITIVE FOUND
C:\Windows\Installer\$PatchCache$\Managed\00006109A20000000100000000F01FEC\16.0.4266\LYNC.APPSHARINGHOOKCONTROLLER64.EXE.x64: [Win.Virus.Shodi-7131944-0] FALSE POSITIVE FOUND
C:\Windows\System32\drivers\arcsas.sys: [Win.Trojan.Agent-7029285-0] FALSE POSITIVE FOUND
C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_b3d75f82c617ac6a\arcsas.sys: [Win.Trojan.Agent-7029285-0] FALSE POSITIVE FOUND
C:\Windows\System32\recdisc.exe: [Win.Trojan.Agent-7015560-0] FALSE POSITIVE FOUND
C:\Windows\System32\wusa.exe: [Win.Trojan.Agent-7029271-0] FALSE POSITIVE FOUND
C:\Windows\WinSxS\amd64_dual_arcsas.inf_31bf3856ad364e35_10.0.18362.1_none_df45d7260451884b\arcsas.sys: [Win.Trojan.Agent-7029285-0] FALSE POSITIVE FOUND
C:\Windows\WinSxS\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_10.0.18362.1_none_56d96a6d30d9b491\recdisc.exe: [Win.Trojan.Agent-7015560-0] FALSE POSITIVE FOUND
C:\Windows\WinSxS\amd64_microsoft-windows-wusa_31bf3856ad364e35_10.0.18362.1_none_7f5e017895d54a0c\wusa.exe: [Win.Trojan.Agent-7029271-0] FALSE POSITIVE FOUND
Please do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at http://www.clamav.net/sendvirus/
--------------------------------------
Completed
--------------------------------------

As you can note there are still a lot of false positives.

Posted: Mon Nov 11, 2019 1:03 am

Yes, I see there are lots of false positives. There's nothing ClamWin can do about them. The scan message is just to let you know about it, so you can send the files that are falsely detect to Clam Av so they can change the signature. If all of the false positives detect the same malware, you should only send one or two files and tell Clam their signature falsely detects lots more.

I sent email to the ClamWin developers about this problem with not enough lines in the scan report. That's all I can do, as I am not a programmer. It has been a while now, and since we haven't heard from them, I guess they do not want to change the code to enlarge the number of lines. I don't know for sure, but the original ClamWin code that addresses strictly Windows items may have been written by someone else who is no longer around, and that could be why the developers are reluctant to make any changes. It's just a thought though, and it certainly doesn't help you.

I personally rely upon a commercial AV for security and keep ClamWin around for old time's sake.

Regards,