Hi,
I had a false positive in ClamWin which was confirmed by a test on www.virustotal.com.
I reported it to ClamAv which sent me the following information in https://cvdpedia.clamav.net/daily/3065
Submission-ID: 995119
Sender: Hubert Gailly
Submission notes: Not a false positive.
Added: No
I do not quite understand because now the same file is not reported positive on www.virustotal.com but still in ClamWin.

Does anybody understand?
Is this just a matter of waiting for an update in ClamWin?

Thanks for help,

Cousin Hub

Make sure you have the most recent signatures for both the Main and Daily databases from the ClamAV Web site at https://www.clamav.net/. Compare their signature database version number(s) with the version numbers shown on ClamWin's menu (Help, About).

If the version numbers aren't the same, update the signatures manually and see if that fixes things. If they are the same version numbers, I'm not sure what to tell you. If that is the case, the problem may be due to some newer functionality included in ClamAV version 0.90.2, while ClamWin is using version 0.90.1.1. ClamAV's version 0.90.2 incorporates some exploit fixes that are unique to Linux, while ClamWin isn't affected.

Regards,

Hi, some time ago I also had in Program Launch, from a Danish creator, a warning. He examined it on more pc's at the same time; and found that on some pc's was the false positive as well on the others there was nothing. I downloaded and installed the program again and afterwards no harmful stuf was found; so it appeared to be a false positive, probably a fault in ClamWin. I received a warning to update to 0.90.2 but I could not succeed in installing/updating to this version. So I wait till this problem is solved.

ClamWin 0.90.2 is being tested now and should be ready for downloading soon. Some antivirus programs treat potentially unwanted programs as viruses, and some don't--this might be your situation. A potentially unwanted program does not necessarily contain a virus/malware. It might be some code/program downloaded automatically from a Web site without your knowledge (cookies, etc.). It could also be a "broken" program that looks like it won't work. Usually this stuff is close to spyware. Some antivirus software programs confine themselves to viruses only and don't look at anything else.

You could do a search on Google for the name of the program that has the problem, and see what you can find out about it. If more than one antivirus flags something as containing virus/malware, however, it is probably something that you don't want to have/use.

Regards,

Thanks for the replies,

In my case, the virus is said to be found in the database files and backup of of ms sqlserver : database of hmailserver , positive with E-Mail phising RB-601.
I check every single row (it is a small installation), I do not think there is a virus in it as ClamAV 0.90.1 is the only tool to report it positive.

Waiting for 0.90.2...

I don't know,

Hubert

false positives are not resolved by new version of the av but by updated signatures, you can report it directly to clamav web site

Not sure if you have read my first post...

sorry not
we have the plan to add our own signatures/false positives

The virus database used in ClamWin is maintained by the ClamAV team and we cannot answer for them. You may try contacting them once again if you firmly believe it is a false positive.

You might check it with VirusTotal one more time. Clam will ocasionally find a phishing-type malware that many of the other antivirus softwares don't bother with--I believe it now has some separate phishing signatures. I once had a piece of malware that was only recognized by Clam and VBA--two of the least know antivirus programs. If no one but Clam still recognizes it, then resubmit your sample to Clam at https://cgi.clamav.net/sendvirus.cgi and explain in the comments that you firmly believe it is a false positive. You could follow this up with email to one of the virus maintainers and tell them you have just resubmitted a false positive and would appreciate a response.

Regards,

My problem is that the file is now only regonized as positive by ClamWIN.
Latest version of ClamAV in www.virustotal.com does not recognize it anymore :
the modification happened between the post of my false positive and ClamAV team answer
That's why I'm curious to see what will happen with 0.90.2...
Any timeframe?

I don't think the version number will make any difference. The "problem" is in the signatures (perhaps that one signatue is not quite right), and that will not change with ClamWin version 0.90.2. My final suggestion is for you to contact the ClamAV person who told you that there was no false positive and ask them why was not false. Good luck!

Regards,

* Signatures that start with "Email.Phishing" are not viruses, they detect phishing attempts.

* This is the signature:

Email.Phishing.RB-601:4:*:687474703a2f2f7777772e35332e636f6d2e

In english this translate into: scan all files of EMAIL TYPE for signature "https://www.53.com."

Knowing this information, it is feasible that your mail database does contain the string "https://www.53.com." in it some where.

Being that the type "4" (email) is present; I'm also wondering if hmailserver doesn't store your mail database in an email type format rather than in a ms/my sql format.

* I just updated my signatures from clamav and this particular sig is still present.