|
arscw
| Joined: 21 Mar 2008 |
| Posts: 0 |
| Location: USA - Tampa, FL |
|
|
 Posted: Wed Jul 09, 2008 1:20 pm |
|
 |
 |
|
|
I got the following results from a scan this morning
C:\Program Files\ClamWin\unins000.exe: Trojan.Downloader-45726 FOUND
C:\RECYCLER\S-1-5-21-290001079-992227933-1844936127-500\DC51.TMP: Trojan.Downloader-45726 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 344927
Engine version: 0.93.1
Scanned directories: 1603
Scanned files: 16565
Infected files: 2
Data scanned: 2698.89 MB
Time: 2124.203 sec (35 m 24 s)
I uploaded the two files onto https://www.virustotal.com/ and https://virusscan.jotti.org/ and the only scanner besides ClamAV that indicated anything was Panda...
Panda 9.0.0.4 2008.07.08 Suspicious file
at the virustotal site. Md5sum and sha1sum indicate the file is the same file at both locations. I submitted the file per other entry suggestions at https://cgi.clamav.net/sendvirus.cgi
Just wanted to post the issue in case others encounter the same problem. Hopefully it is a false positive.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Jul 09, 2008 7:48 pm |
|
|
|
|
|
This is probably a false positive, and you should visit the ClamAV submission form at https://cgi.clamav.net/sendvirus.cgi on the Web. Upload a copy of the file in question, fill out the form, and be sure to check the false positive block and give them the exact name of the virus. You help to make Clam/ClamWin a better antivirus by doing this.
When you get the same virus found in a couple of different places on your computer, it is frequently a sign of a false positive.
Regards,
|
|
|
|
arscw
| Joined: 21 Mar 2008 |
| Posts: 0 |
| Location: USA - Tampa, FL |
|
|
| Posted: Wed Jul 09, 2008 8:02 pm |
|
|
|
|
|
I submitted the file at https://cgi.clamav.net/sendvirus.cgi before I posted the incident here. I also provided the exact name as identified, and marked the "false positive" block as you indicated.
I will keep doing this now that I know the motions on how to submit. I assume it is ok to post events like this on this forum for the benefit of the community and let everyone know that the file has been submitted. That will reduce multiple submissions of the same file. If I should not post these kinds of events, please advise if just submitting is sufficient.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Jul 09, 2008 11:09 pm |
|
|
|
|
|
False positives happen to all antivirus software and on a regular basis. My suggestion is to not post about them here on the ClamWin forum unless they really stand out--such as a false positive on a Windows file, a Microsoft Office file or another important/widely-used application. In most cases just submitting the false positive to Clam is sufficient. They will normally take care of it within one day or less.
Regards,
|
|
|
|
alch
Site Admin
| Joined: 27 Nov 2005 |
| Posts: 0 |
|
|
|
| Posted: Thu Jul 10, 2008 1:28 am |
|
|
|
|
|
arcsw, thanks for letting us know.
C:\Program Files\ClamWin\unins000.exe is rather an important false positive and would affect every program installed with InnoSetup. Looks like the FP has been already removed from the database
|
|
|
