Hi ClamWin Forum folks -

Please pardon if this has been addressed, but I have not been able to find a meaningful reference to it in the forums this weekend. On several WinXP SP2 computers I work with in various locations, ClamWin has quarantined raenh.dll and a couple of other system32 files, reporting win32.zhelatin or variants thereof. How can I learn definitively whether this is a false positive, and if so how can I know when the issue will be addressed in a definitions library update, so I can turn scanning back on? Research on this worm seems to indicate that it's old and no longer active.

Many thanks in advance, any suggestions appreciated -
jamesb in Honolulu

There have been some other reports on this forum about this recently. Most likely it is a false positive. You can submit files to Clam AV (which furnishes the scan engine and signature database for ClamWin) that are either undetected viruses or false positives at https://www.clamav.net/sendvirus/ on the web. When you get to the submission page, if it is a false positive, click on false positive tag, and tell the exact name of the false detection in the comments section. Also tell why you think it is false. If the file is too large for Clam, get back here and let us know about it.

Before submitting to Clam, however, upload the file to the Jotti scanning service at https://virusscan.jotti.org/en or the VirusTotal scanning service at https://www.virustotal.com/ on the web. Either service will scan the file for you with multiple antivirus products, including Clam. If several other AVs find a file is infected, it probably is. If only a few find an infection, it is probably a false positive.

The Threat Expert service at https://www.threatexpert.com/ on the web will also let you submit a file to check out. They will actually run file and give you an email report. If it is "evil," they will provide a threat ranking.

Regards,

Many thanks, I will do that.