 |
 | positive on a newly recovered machine - tcpip.sys |  |
|
alfredo
|
|
Hi,
Is this a real threat? How do I get ClamWin to ignore it otherwise? I'm getting a positive on a newly recovered (i.e., reformatted from hidden recovery partition) machine: C:\windows\system32\drivers\tcpip.sys C:\windows\system32\dllcache\tcpip.sys and also C:\windows\i386\tcpip.sy_ and C:\windows\$NtUninstallKB917953$\tcpip.sys Machine is a laptop: ASUSTek computer inc M6R Intel(R) Pentium(R)M processor 1.73GHz 797MHz, 896 MB of RAM Forgot the message: Trojan.Agent-6998 FOUND Alfredo  |
|||||||||||
|
|||||||||||||
 |
| Trojan.Agent-6998 | |
|
billj
|
|
Got the same detection but on an older system and suspect it is a false positive.
I cannot find information on it by searching for "Trojan.Agent-6998" Used FAQ https://www.clamwin.com/content/view/40/27/ to scan at https://www.virustotal.com. It looks OK, only ClamAV reports it. Reported it as a false positive at https://cgi.clamav.net/sendvirus.cgi |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
I found the same file this morning on my computer and uploaded it to VirusTotal. ClamWin was the only antivirus there to find it as infected. My NOD32 primary scanner also doesn't find anything, so I'm pretty sure it's a false positive. I upoloaded a copy of the file to ClamAV virus submission with the details. I'll check the file again in a couple of days with VirusTotal to make sure and also give Clam time to change their database.
You could also send the file to Clam at https://cgi.clamav.net/sendvirus.cgi their file submission page. The more people that give them a file, the quicker they will probably act. Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Looks like the false positive has been fixed by ClamAV. ClamWin no longer recognizes it as infected--not on my machine and not on VirusTotal either. Try it, and restore the file from quarantine if so. Looks like this was part of a Windows patch.
Regards, |
|||||||||||
|
|||||||||||||
|
| i got hit by the one too. Reponse very helpful | |
|
gjcarrette
|
|
I got hit by this one too, in the C:\I386 folder, which, by the way, is never updated by windows patches, it is part of the original windows installation, which in my case was XP PRO without any service packs bundled.
So this is a false positive which *could* have been regression tested out of the clamwin before the virus updates and/or engine update was released. I'm willing to fund some development along those lines, because I don't have the time to do it myself. Meanwhile the reponses to the "false positive" were very helpful in recoverying from the situation. |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
ClamWin doesn't really have anything to do with the ClamAV signatures--their job would be a lot more complicated otherwise, and they can better concentrate upon developing the product. I do recall a couple of false positives in the last six months, however--one of them laid my machine low because it was in an important Windows system file which was placed in quarantine. Since recovering from that, I've been running several scans of the Windows directory each day (with the report only option) to spot anything like that again.
What do you mean by regression testing? Perhaps the ClamWin developers would consider that--if it's not too demanding upon their time. Regards, |
|||||||||||
|
|||||||||||||
|
 | positive on a newly recovered machine - tcpip.sys | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.