ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
ClamWin Free Antivirus Forum Index » General Suggestions/Questions
Reply to topic
false positives? (excelcnv.exe & *.msp)
dwinter


Joined: 30 Dec 2008
Posts: 0
Post Posted: Sun Nov 29, 2009 9:08 pm Reply with quote
i have several computers on our network running clamwin (all are current versions) with weekly scans and they are all setup to email an alert to me if there are any problems. this is the third or fourth weekend in a row that i have received reports from every computer running clamwin.

in almost every case excelcnv.exe is being reported along with at least one msp file (with different names).

every time i have tested these files on https://virusscan.jotti.org/en the only scanner that reports a problem is clamwin. all of the others come up clean every time.

today i submitted these files to https://cgi.clamav.net/sendvirus.cgi:

c:\program files\microsoft office\office12\excelcnv.exe
c:\windows\installer\2f28b1d.msp

what changed? why are all of my clamwin workstations suddenly emailing reports on these files that are seemingly false positives?
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 0
Post Posted: Sun Nov 29, 2009 10:57 pm Reply with quote
I sent you a PM with file upload details.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Post Posted: Sun Nov 29, 2009 11:18 pm Reply with quote
Clam frequently has false positive identifications of Windows/Office files after Microsoft has issued a security update or after a user installs a new version of such a file. The culprit is often a Virut.Generic detection. Current Windows/Office files with virut false positives have been "whitelisted," but a recently-changed file will not be whitelisted until someone sends it in as a false positive.

Clam can't just easily drop or change a generic signature. They take much more time/effort than the average signature to develop, and they do their job. In the case of the Virut generic signatures, they detect about 90% of the viruts. The signature just happens to include some "good" code in addition to the malware code.

What's needed is some assurance that a detection--especially involving Windows/Office files is indeed a real detection by ClamWin. In my opinion, ClamWin has some responsibility for doing this. Clam is primarily concerned with static detection of email files on a Linux box, while Clam is responsibile for detection on boxes actually running Windows.

Regards,

Regards,
View user's profileSend private message
dwinter


Joined: 30 Dec 2008
Posts: 0
Post Posted: Mon Nov 30, 2009 1:20 am Reply with quote
@alch: both files mentioned in my report have been uploaded to the ftp site. thanks!

@guitarbob: also, thanks. i just wanted to get these files uploaded so they could check them thoroughly.
View user's profileSend private message
false positives? (excelcnv.exe & *.msp)
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
ClamWin Free Antivirus Forum Index » General Suggestions/Questions
 Reply to topic