today after downloading the latest clamav database updates i decided to scan systemdrive and i was really shocked:
clamwin scanner suddenly detected several files as viruses but they arent new and it never detected them as viruses earlier,
so these files are not viruses and not spyware/adware/malware/etc at all.
clamav report data:



before this moment i never noticed false results in clamav for windows and i hope that now it has happened by mistake...

They may or may not be false positives. The only way to tell for sure is to scan each file (one at a time) with Jotti at https://virusscan.jotti.org/en on the web or VirusTotal at https://www.virustotal.com/ on the web. Either service will scan a file for you for free with multiple antivirus programs (including Clam AV, which provides the engine/signatures for ClamWin). If more than a couple of AVs besides Clam find an infection, it is probably not a false positive. But if only a couple of them find an infection, it is likely a false positive. I like to see at least 5 AVs agree on something before I accept it.

If it is a false positive, upload the file to Clam AV at https://www.clamav.net/sendvirus/ on the web. When you get to the upload page, be sure to indicate it is a false positive, give them the exact name of the false positive detection, and tell in the comments section why you think it is a false positive (provide Jotti/VirusTotal results). Clam will adjust the signature within a couple of days, and ClamWin will also benefit.

Set your ClamWin infected files option to Report Only in case there is a false positive now and then in Windows. You don't want to lose access to a system file by quarantine or remov.

Regards,

thank you. allready done.
this time i submitted 3 false positives.

faststone image viewer - fsviewer.exe: Trojan.Agent-121386 FOUND
https://www.virustotal.com/analisis/696e1cd25a82be34ba4d8f055cdb9c8e9339015ba54d86e06162d4342bfea1d2-1250707261
(besides clamav no one think that it is virus, only one engine think that it is Suspicious File)

gimp - gimp-2.6.exe: Trojan.Agent-121386 FOUND
https://www.virustotal.com/analisis/613c7ea4765e732894d80111329f6d77d80d49bde4e1651c4ca7c7dd0ef0090d-1250741737
(besides clamav no one think that it is virus, only one engine think that it is Suspicious File)

cmdow - cmdow.exe: Trojan.HideWindows-1
https://www.virustotal.com/analisis/0200a3f80693ef2831d4939195005f2cc52053d2e61262d78822a1dac044ee55-1250755570
(the half of engines think that it is normal file, the half of them viceversa. but the most detection results tell that it is not virus e.g.: not-a-virus, Suspicious File, potentially unwanted program, Riskware, RiskTool, SecurityRisk, etc.)

i wrote you and submitted false positives files not because of problem on my own standalone pc and even not one local area network...
these are several hundreds of workstations and servers in different networks around the city. all of them are defended by strong security system based on various customly preconfigured freeware programs and components including clamav for win.
this security system is a part of integrated, preconfigured and automated software installation system with advantaged local and networking features. thus it includes a lot of free software that is being used, tested, configured and customized every day for providing better defaults for end-users and system administrators.
so all software programs including every one miscellenious file are wellknown for me (including submitted ones) cause i'm main developer of this free software meta-package which is called sysinstall https://usetools.net/sysinstall https://usetools.net/sysinstall and chief-engineer of https://usetools.net https://usetools.net project about free software.
i should control the situation every day cause my job is i.t. outsourcing. thus i support several companies with using of free system and users software preconfigured by myself and other members of usetools project.
yesterday i got the situation with false positives on several machines the first time and it was happened after yesterday's automated (by self-made scripts) clamwin databases update. it looked like a joke but 3 of 4 programs are the part of sysinstall. clamwin is the part of sysinstall too.
i like clamwin very much especially for its command line features, laconic gui and much more for the true results in comparisson to all other (free and commercial) alternatives. but yesterdays false positives made me to ask you fix the problem. thats because i'm interested in clamwin that becoming better and glad to help with real practical usage results on large amount of computers. one more reason is responsibility due to my job, i cant let software programs behave inadequate.
now i got the situation when antivirus scanner become evil and decided to kill common and absolutly normal users software programs and developers console tools (that is absolute fact according to my investigations and by the way according to web-tools suggested by you too). thus i must solve this collision because that is the conflict inside high quality, powerful and free software that i provide to improve everyday work of people but not to turn it to comedy and false positives hunting game.
i still beleive that problem will be fixed soon. nobody like to write sad facts in reports, me too.
thank you a lot for your work and have a nice day.

Most AVs have them from time to time, and sometimes they are high profile. Yesterday, CA and Kaspersky were both zapping some important files. With that said, however, I think ClamWin does have too many false positives on Windows system files.

Clam AV furnishes the scanning engine and virus signature database for ClamWin, so ClamWin is very dependent upon Clam. Clam AV is primarily a Linux email gateway scanner, and it does not work directly with the Windows OS on machines. ClamWin does, however, and I understand that the ClamWin developers are working on a solution to the false positives for Windows system/office files.

In the meantime, all we can do is use Report Only instead of Quarantine/Remove for the Clamwin infected files option. You can exclude Windows OS files from scanning in ClamWin's configuration filters.

By the way, do you have any applications/scripts, etc. that might be of use to other ClamWin users that the ClamWin developers could take a look at?

Regards,

thank you, now its exactly clear for me.
as to exceptions i'm allready using this practice
(i was forced the first time when noticed several months ago that clamav doesnt like chrome.dll file which is the part of google chrome web browser)
via clamwin.conf file. there follows the latest usetools version of clamwin configuration which i updated yestarday in accordance with false positives problems.



usetools sysinstall has downloader/updater but it is not automated for providing new configuration files to all of the system users simultaniously.
on the other hand clamwin has automated databases updates in our system:





as it is seen from command shell code fragments (these are not full command shell scripts cause they contain a lot of code not connected with clamwin)
in case of successful database update in background mode freshclam initiate clamscan to check memory for viruses with the latest virus signatures.
in case of detection it kill the enemy process without file moving/deletion.
in case of database update failure (e.g.: internet connection error) it tries to do it later.
all these operations are logged in details on all stages.

thus automated clamwin updates/scans have no danger for any files to be moved/deleted even if false positives problems take place. killing and logging only.

other things that i implemented by using of clamwin can process in the following cases: mounting of new drives (e.g.: usb flash disks) and user interaction via graphical interface.
but these modules work with using of more 3rd party (i mean outside standard windows and clamav equipment) software than in written above code.
however if it is really interesting i can tell about them too...