[quote="alch"]could you please zip notepad.exe with password "clamwin" and email it to clamwin at clamwin dot com ?
Thanks,
Alch[/quote]

it can be impossible cause executable files in zip format even in case of password usage can be rejected by mail servers (e.g.: gmail.com). it seems to me that 7z is much more suitable because
1. mail servers ignore execatable files in 7z
2. compression is better thus filesize is less.

It's happened again! I think I'm going to bump this thread each time I get dozens of false positive reports in my inbox. This business where ClamWin finds far more false positives than true positives needs to stop. Should I buy the ClamAV folks a Windows computer to test against?

All Windows programs would not fit on one computer! You would need many banks of them, and each time a program is changed, the false positive game changes. It also changes each time a new signature is prepared, because there's nothing stopping a malware program from using some of the same code that is used/will be used in a good program. Malware can use the same installers, packers, encryptors, and even the same subroutines as "good" programs. It is impossible to have a false positive check that includes every good program. And, even if they could all be included, it would take too long to verify a signature--if you could get all that hardware working together nicely. Each AV company tries to get a balance, which includes hardware, software, time, and budget. Most certainly Clam could do better with a bigger budget, more personnel, and/or more equipment.

Clam could certainly use more Windows programs among its "good" samples, more computer hardware on which to run them, and more systems programmers to make sure everything works together smoothly. At the moment, its personnel are performing multiple functions on a limited budget with whatever excess hardware SourceFire does not use for the Snort operation. The AV game is getting expensive, resource intensive, and requires consteant innovation. Most people who use both Clam/ClamWin do so freely, without paying a dime. Contact Luca at ClamAV dot net if you would like to help Clam. You know the contact(s) for ClamWin.

Regards,

GuitarBob, I'm not talking about Windows programs! I'm talking about Windows itself! About once a month, 22 ClamWin installations across my Windows XP SP3 fleet all cough up false positives. These files are almost always Microsoft Windows system files (usually .exe and .dll) within C:\Windows\System32\. Every few months my patience wears thin and I post to this thread again.

So why can't the ClamAV signature-database maintainers add vanilla Windows XP, Vista, and 7 installations to their test bench (or at least a few hundred megabytes of .exe files from System32)? It seems that this little bit of effort would save us ClamWin users a ton of time! And then, perhaps, we could finally switch our computers from "Report only" back to "Move to quarantine".

I can imagine one reason is Windows desktop users are not their core target audience.

This along with probable priorization of available resources is likely scenario


I hope you don't use ClamWin as primary AV?

And yet again...

And again...


I've got to ask; what's the point of having a Windows client (ClamWin) and scanning the whole C: drive when every month some innocent Microsoft file in C:\Windows\ is accused if being a trojan? Kudos to alch and the other ClamWin developers for their work, but it seems the biggest hindrance to the ClamWin project is the apathy of the ClamAV database maintainers toward the Windows platform.

There is no perfect antivirus program. They all have false positives. Bitdefender had a real bad false positive last week.

I understand ClamWin is working on a fix for false positives in the Windows directory.

The Clam sigmakers are not apathetic to false positives. Most of the viruses for which they get signatures are Windows viruses, and the signatures are checked for false positives against a "farm" of "good" files. However, the farm does not/could not have every version of every file in use. Furthermore, many viruses use some of the same code/routines as "good" files--installers, encryptors, decryptors, etc. Oftentimes, Clam cannot unpack/unobfuscate a virus file, and the sigmakers have to make sure it is "evil" and then get a hex signature based on the file characteristics. If a commonly-used installer/etc. happens to be included in the characteristics used, the signature may be similar to the signature of some good file. If that good file is not in the false positive "farm" files, there may be a false positive.

Regards,

GuitarBob, thanks for actually acknowledging the problem instead of just coming up with excuses for why the situation cannot be addressed. This is the first I've heard a solution is in the works. Awesome! When I submit a false positive to https://cgi.clamav.net/sendvirus.cgi https://cgi.clamav.net/sendvirus.cgi, is my submitted file added to ClamAV's false positive farm?

In other news, I got another cluster of false positive reports today, this time with iexplore.exe:

[/i]

Did you verify the false positives with another source--like Jotti, Virus Total, Threat Expert, or Anubis? Submit them to Clam if you did verify them.

False positive files are processed either by dropping the original signature or by whitelisting the false positive file in Clam's signature database. The original signature is dropped if it was just wrong. If the original signature was good and catches malware, it can't be dropped, so the false positive file is whitelisted in Clam's signature database.

Regards,

Yes, I use VirusTotal every time. If it's a false positive (98% of the time it is), I follow up by submitting it to Clam. Sorry, I thought I implied that when I said,



I will often post my scan report here after submitting a false positive to Clam, just to make a point about how frequently I wake up to a slew of false positive scan reports in my inbox.

ClamWin version .96 will have protection for false positives of Microsoft files that are digitally signed. Such false positives will be excluded from quarantine. There will be a note on the scan report that there is a false positive; however, users should still send the file to Clam so they can correct the false positive. This is a feature that has long been needed.

Regards,

I can't tell you how thrilled I am to hear that! It sounds like somebody is finally addressing the problem! In the meantime, I got my third dose of false positives within one week:



Have I made my point yet about how frequently I have to chase false positives!?

The sig appears good in this case--it has caught about 100 viruses submitted to Clam. The problem is that the virus writer is using the same install code that other software uses. There is nothing stopping them from doing that, and as I have mentioned lots in these forums, Clam does not have every verson of every legitimate Windows program on its false positive farm.

This particular signature will probably be fixed by "whitelisting" any false positive files, so please submit them. If the sig is dropped, it will be fixed for good, as Clam makes note of this particular type of signature.

Regards,

This is probably a dumb question, but why not make the signatures longer so that the viruses are more uniquely identified and fewer false positives persecuted? Is having the signature database be as small as possible worth three false positives a week!?