When I did a scan of https://www.megaupload.com/?d=G5GUJN57 a suspicious file on https://virusscan.jotti.org/ Jotti's online malware test the result of ClamAV was positive (as were several other AV tests):
https://upload3.postimage.org/165463/photo_hosting.html

When I did a local scan of this file though, I got a negative result.

The program, as well the definitions should be up-to-date:


This worries me a bit...

Don't worry. Here's a quote from the small print at Jotti:

"Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware."

Jotti uses Linux versions of AV scanners, which can differ from the Windows versions. ClamAV probably has a bit more horsepower" than Clamwin, but they use the same database. Clam has access to some options that aren't available in ClamWin. For instance, Clam says you can use their Potentially Unwanted Applications (PUA) signatures if you configure Clam for it. I can't find the command configuration to do so in ClamWin. Also, Jotti may update just a tad more often than some of us users do.

There can even be some differences in scanning between the resident scanner and the on-demand scanner of the same antivirus.

Regards,

The definitions on my machine were definitely up-to-date (I do daily updates, and did it one as soon as I noticed the differing results).

You're saying that there, indeed, can be differences between Linux and resident and on-demand scanners, and that that shouldn't concern me.

Well, but that's exactly what concerns me... Why should there be differences???

If 5 other AV programs warn me about this file (in addition to ClamAV itself), but my local copy says everything is ok, how should I interpret that? That all the other programs, plus ClamAV are wrong, but my on-demand copy is right?

Why is it there a discrepancy in the first place, and which version should I trust?

Could someone else perhaps test this file (download link is in the first post), and tell me if they get the same discrepancies?

The Jotti scan (if you enlarge it) indicates its Clam AV Linux scanner found the file that you uploaded is one of those files that is a PUA--a potentially unwanted application. This is what Clam says about PUAs on their Web page:

"With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications. The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is
authorized to do so. However, the same tool can be used to steal passwords from a system.
To make use of the PUA database you can use the �—detect-pua� switch for clamscan or enable it in the config file for clamd. At this point we DON’T recommend using it in production environments, because the detection may be too agressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups."

There may be a way to set the switch to enable ClamWin to spot PUAs, but as I mentioned, I don't know how/if you can do so--perhaps one of the ClamWin development team does and will step in here. As the quote from Clam's page indicates, you shouldn't use the PUA option on a production system. There are some other features like this as well that can lead to false positives/system unstability if used by us average users. It appears that the Clam team is designing improvements in the software and is making them optional until they have been fully tested.

Finally, there are some differences between the operating systems and programming languages used that keep the two programs from being 100% similar. For instance, ClamAV in Linux allows you to perform multiple scans--something we can't do in the current version of ClamWin.

If you are concerned about that file (or any other file), I suggest that you delete it unless you actually installed it on your computer on purpose.

Regards,

I just looked at the Clam 0.91.2 Changelog and it mentions that you can use the command --detect-pua to enable Clamscan to consider PUAs in its scan. I tried it, and it seems to work. Be aware, however, that it could pick up an important Windows system file as a PUA, and if you have it quarantined, you might not be able to access Windows. If you use it, I suggest that you select Notify instead of Quarantine.

To use it, in the ClamWin Advanced Preferences, put --detect-pua (that's two dashes, detect, one dash, and pua) in the Additional Clamscan Parameters.

Regards,