I seem to be getting a false positive on a file that I am sure is not a virus. I have done a search and seen that this has been a problem in the past with version .82 and was supposed to be fixed in version .83. What I would like to know is how can I turn of the detection of the MS05-002 exploit when running from clamscan? It appears to be a feature in the libclamav.dll itself and not in the definitions database. Is there a command line option that I can use to do this? I looked through the user guide but none of the options seem to be what I am looking for.

"how can I turn of the detection of the MS05-002 exploit when running from clamscan?"

The best solution is to upload the false positive file to Clam at https://www.clamav.net/sendvirus/ on the web and tell them about it in their form. Be sure to indicate on the form that it is a false positive. In most cases, they will correct the signature in a day or two. Sigmakers usually correct their own false positives, so it may take longer if the sigmaker is away for a while. They are working on a system now to automatically notify a sigmaker of a false positive.

I assume you are running ClamWin. If that is true, then you can use Preferences, Filters to exclude matching filenames. Just add the name of the file with extension to those already in the exclude matching filenames section. Example: filenametoexclude.exe . You can also exclude directories from scans (example: C:\Dirname\*.* or C:\Dirname\Subdirname\*.* . Please scan the file with Jotti or VirusTotal before you do this - you don't want to exclude any file from scanning unless you are sure it is "clean." Please note that an individual file will still be scanned if you select it for scanning- this will only exclude it from scheduled scans, so this really isn't a complete solution.

Regards,

First off, Thanks for the reply!

I am 100% sure the file is clean. I am using the clamscan.exe instead of the gui because the scan must be done through a script and not display any windows and the scan will also be ran on numerous systems and can not be done by hand. The problem is that we are getting these false positives on known good files and I need to parse the scan log when the scan is complete for each system. I understand that it is possible to parse the log with a little more intelligence to weed out these results, but an option to turn off this type of scan would be better and save us work.

Another possibility that would work for us is this...If I do a scan and specify a custom database on the command line, will it only scan for the custom definitions or will it still flag Exploit.W32.MS05-002? I have already tried removing all definitions except custom ones but that didn't help since Exploit.W32.MS05-002 is not in the virus database, so I am hoping that if I explicitly specify a custom database it will ONLY check for the custom definitions and nothing else built into the engine. I guess I can go try this thought out and see what happens.

It seems if I use the "--no-algorithmic" switch that I no longer get my false positive. By using this switch am I still checking for all signatures in the database? I want to make sure that I am still scanning using all of the signatures.

With the "no algorithmic" command, you are no longer scanning for signatures that employ algorithmic detection. Evidently this leaves out some exploits. Why don't you just send the false positive file to Clam? Seems like you would save a lot of trouble. It's their signature database that is giving you the problem.

Regards,