|
mwade
| Joined: 15 Dec 2008 |
| Posts: 0 |
|
|
|
 Posted: Mon Dec 15, 2008 6:03 pm |
|
 |
 |
|
|
I ran clamwin with the latest version of dat's and I have a detection (Trojan.Agent-62881) on the following file: C:\Support\Tools\Support.cab. I have matched that file with the NSRL file as a compontent from the Gateway Operating System Windows XP Pro. I have tried to do some research on the Trojan.Agent-62881 detection, but I am unable to find any relevant information. Is this a generic detection (many malware samples thrown into this one name)? Could this be a false positive? Cany anyone please provide a reason why this file flagged? Unfortunately I am unable to provide the file.
Thanks
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Dec 15, 2008 7:42 pm |
|
|
|
|
|
Upload the file in question to either Jotti or VirusTotal on the web for a scan with multiple antiviruses, including Clam. If more than a couple of them besides Clam find the file is infected, it is probably not a false positive, and you should remove the file from your machine. You can get the location for Jotti/VirusTotal from the ClamWin Anti-Malware page.
If only Clam and a couple of more antiviruses find an infection, it is probably a false positive, and you should upload the file to Clam from their submission page. Tell them it is a false positive and the name of the false positive virus detected. They will update the signature. The location of the Clam submission page is also shown on the Clamwin Anti-Malware page.
Regards,
|
|
|
|
mwade
| Joined: 15 Dec 2008 |
| Posts: 0 |
|
|
|
| Posted: Mon Dec 15, 2008 7:47 pm |
|
|
|
|
|
Hello,
Thanks for your post. Unfortunately I am not able to post the file. I am aware of Jotti and Virus Total. I have scanned the system with 5 other scanners and it was not detected, so I am thinking that its a false positive. What I am looking for is a reason as to why this file flagged as Trojan.Agent.... Basically I need to explain why it is or is not malicious. Since the MD5 seems legit, I am thinking that its a FP.
Thanks,
Mark
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Tue Dec 16, 2008 2:01 am |
|
|
|
|
|
It's probably not a generic detection if Clam identifies the malware with a specific name and number. I found 13 support.cab files on my XP machine, and none of them register a detection when scanned by ClamWin. I suggest you do a Google search on the MD5 number for your file and see if anything comes up. Malware can use some of the same code as "good" software. Clam checks for false positives before releasing signatures, but they don't have copies of every piece of software that is out there, so false positives can happen. The only way to change a false positive is to submit a copy of the file in question to Clam and tell them about it.
Support.cab is a sort of generic name, and malware sometimes uses names like that, although the cab extension is pretty far down on the list of extensions that malware uses.
Regards,
|
|
|
