I just installed ClamWin on a USD drive and thought I'd get ClamWin to scan the USB drive.... at the end of the scan Nod32 pops up and said ClamWin had just written two temp files with trojans in them to my hard drive......... Below are the 2 reports.... Is this normal for ClamWin to behave like this ?

Dean.


21/01/2009 5:14:47 p.m. Real-time file system protection file C:\docume~1\dean\locals~1\temp\clamav-bd06b087c01bcfdf863ab66c07711c5c.00000f44.clamtmp a variant of Win32/Kryptik.EF trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: E:\ClamWinPortable\App\clamwin\bin\clamscan.exe.

21/01/2009 5:14:41 p.m. Real-time file system protection file C:\docume~1\dean\locals~1\temp\clamav-77faa3949e3bbb2ed420fed865edc6df.00000f44.clamtmp a variant of Win32/Kryptik.EF trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: E:\ClamWinPortable\App\clamwin\bin\clamscan.exe.

Clamwin creates temp filers when it unpacks archives, therefore it can be a real virus packed in an archive or a false positive from Nod32.
You may scan the quarantined file at https://www.virustotal.com and see what other AV vendors think about it.

Thanks for that link, here is the result.

https://i42.tinypic.com/2nsq8oh.jpg https://i42.tinypic.com/2nsq8oh.jpg

I like to see a least 5 AVs spot something before I say it is infected. Even then, however, you have to look at the AVs that are spotting an infection and how they spot it. In this case, note that AntiVir and Secure Gateway have the same exact name--they probably share a common signature database (to save costs). The detection is spotted via heuristics (a guess--it's not an exact name) because the file uses the XPack packer. QuickHeal also spots the file via heuristics--"suspicious, DNA Scan." It also looks to me like NOD32 may be spotting the infection via heuristics--"Kryptik" looks like it may refer to a packer/crypt program.

Some AVs are pretty agressive with their heuristics--they would rather be wrong than have a virus slip by their product and hurt one of their customers. They also do pretty well on tests that contain lots of infected files. I think you have a false positive here and you should tell NOD32 about it.

When you get close to 10 AVs spotting something, that's probably a real infection.

Regards,

Thanks GuitarBob for that reply, I was kinda hoping that Nod was just a bit too aggressive. I noticed Nod sent 3 files off for checking and the ClamWin file was one of them so maybe sometime soon when I rerun ClamWin Nod will be happy with it

Cheers,

Dean.

You should tell an AV if you think it has detected a false positive. Many people do not, so you help to improve the AV's detection and prevent problems for a "good" piece of software when you report false positives. I once had a NOD 32 false positive on the GoBack hard drive snapshot program because it made a change in the master boot record of Windows. NOD 32 fixed in in about one day.

Regards,[/list]

No, it depend.