|
jeffjewitt
| Joined: 27 Apr 2009 |
| Posts: 0 |
| Location: Claveland, OH |
|
|
 Posted: Tue Oct 27, 2009 3:26 pm |
|
 |
 |
|
|
I switched to a different AV engine several months ago. Re-installed C/W yesterday and still get this, which was a false positive mentioned in a thread several months ago.
C:\WINDOWS\Installer\5a2172e.msp: W32.Virut.Gen.D-159 FOUND
It's too big a file to check out, so I'll just ignore it, but is it OK to delete or quarantine one of the "installer" files?
Jeff
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Tue Oct 27, 2009 11:29 pm |
|
|
|
|
|
you might get an md5 hash of the file, if you have a hasher program and see what Google says about the hash to verify it's ok. Also, Jotti/VirusTotal may take a larger file, and they will give you a hash. If its a false positive, you can exclude it from scanning in ClamWin's Filters Preferences--c:\directory\subdirectory\filename.exension). Clam needs to know to drop the false signature, however.
Regards,
|
|
|
|
jeffjewitt
| Joined: 27 Apr 2009 |
| Posts: 0 |
| Location: Claveland, OH |
|
|
| Posted: Wed Oct 28, 2009 3:03 pm |
|
|
|
|
|
"see what Google says about the hash"
How do I do that.
I downloaded MD5 and check hash, but how do I compare my stored file with another version?
Sorry - but file hashes are something new to me.
Jeff
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Oct 28, 2009 3:25 pm |
|
|
|
|
|
i would just "paint" the hash and paste it in a google search. you should leave off the 0x if it has that. if something is 'bad," a hash search will sometimes give you more info.
you can also upload the file to threat expert at https://www.threatexpert.com/submit.aspx on the web for a detailed run time analysis. a hash search will often lead you to threat expert anyway if it is "bad."
regards,
|
|
|
|
jeffjewitt
| Joined: 27 Apr 2009 |
| Posts: 0 |
| Location: Claveland, OH |
|
|
| Posted: Wed Oct 28, 2009 4:04 pm |
|
|
|
|
|
This is the display hash string for that file from MD5
B5E0040F5370B62995C96A677D1C9351
I paste that into a google search box and 0 records come back. That means it's OK?
PS - all the upload sites say the file is too large and they reject it.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Wed Oct 28, 2009 4:16 pm |
|
|
|
|
|
well, it means google couldn't find any references to the hash, so that's a good sign. if you tried threat expert but couldn't upload, upload it to clam as a false positive starting at https://www.clamav.net/sendvirus/ on the web. Be sure to click on false positive and tell them the name of the false positive virus in the comment block, also check the block to receive a reply maftehy they analyze it. Clam may take larger files than some of the services.
If you are sure it is a false positive, you can temporarily exclude the file from ClamWin scans by including the entire path and filename in ClamWin's Filter preferences. It could take Clam a couple of days to look at the file.
Regards,
|
|
|
