Hi,

i do scan my WSUS-Box (Windows 2003 SBS) from time to time using ClamWin and realizing several (in my eyes) false positives.



I did check those files on another testbox using Avira without a single hit/alarm.
Using the VirusTotal Onlinecheck doesn’t work - as the files are all around 47MB in size - which causes the upload to fail.

Clamwin: 0.96.2.1 & latest Definitions.

Questions:
Is that a known false-positive?
How to make sure the files arent reported over and over again?


Best Regards
fidel

Heuristics are always subject to false positives, but they do catch a lot of viruses. The problem is that "evil" files can use the same tools/coding as the good files. The only way to cure a false positive is to visit the Clam AV submisstion page, starting at https://www.clamav.net/lang/en/sendvirus/ on the web. This is a welcome page. When you get to the actual submission page, upload the file to them, designate it as a false positive, and tell them the name of the falsely-detected virus in the comments section. Clam AV furnishes the scanning engine and signature database for ClamWin, and they will corrrect their signature within 2 or 3 days.

In the meantine, you can exclude the filename.extension (like that) in ClamWin's filters tab--on the left side of the page.

Regards,

Hi GuitarBob,

i am already in contact with the clam-devs - gonna add the results later to this post.
Thanks for your hints.


Best Regards
fidel

Nach Rücksprache mit einem Clam-Entwickler wurden die Signaturen angepasst bzgl einem Beispielfile angepasst. Nun scheint es einzig an der noch veralteten Clam-Engine im Falle ClamWin zu klemmen.

Quote:



Gruß
fidel

Hello,
with today clamwin updates, scan found a lot of file with message in thread title,
clamwin unloaded from memory all dll/programs with this (false positive) message and moved them to .quarantine.
It was a quite big disaster

From now I'll set clamwin action to "Report Only"

bye

I don't believe either of these files are infected. The first: PsTools.zip I've had on my machine for a long time and downloaded from microsoft. The second is a google chrome add-in for switching proxies "Proxy Switchy!". I've scanned both of these files with Avira antivir, and they both return negative. It might be good to refine the definition that is catching these files a little more. I understand that it is normal for Heuristics to have false positives, but it appears that one update caused this particular heuristic to have two false positives on my machine where it had none before. It seems I'm not the only one. clwin01 looks like he suffered more from this than I did.

Thanks.

DISASTER like clwin01.

Advise setting to Report Only until it's fixed.

I had more than 40 files tagged as infected with Heuristic.Trojan.SusPacket. TMS FOUND all moved to quarantine. Clamwin flagged two of its own files - clamwin.exe and clamtray.exe - and moved them as well.

The virus scan report did not get written to file, so I have no way of knowing from where all of the files came. Probably will have to reinstall most of the affected programs.

Hard to believe a major problem like this got committed to the daily updates.

Hello!

Every morning, I upload Virus Database and do a Memory Scan. Today, I got Heuristic.Trojan.SusPacked.TMS FOUND dire messages all over the place. The program stopped after five files were identified in this manner. They were KERNEL32.DLL, GDI32.DLL, I81X329X.DLL, ADVAPI32.DLL, USER32.DLL. As you can see, all important files.

After rebooting, I went to https://virscan.org/ https://virscan.org/ and had them scan by the plethora of scanners on-line they have.

Not one suspicious file report on any of these five DLL!!! Normally, I expect at least one or two positives per files checked.

I did a scan of the entire SYSTEM folder and got the Heuristic.Trojan.SusPacked.TMS FOUND on 99% of the DLL.

Something goes very wrong...

I concur with this. We scan our servers daily. Today Clam decided to quarantine THOUSANDS of files under c:\Windows that are part of the Windows Server 2008 R2 operating system this morning, so Windows no longer functions properly and we have to reinstall Windows on several servers. Not fun. It found so many false positives that it stopped quarantining them after about 3,000 files and simply reported the remainder. All of them with the same thing: Heuristic.Trojan.SusPacked.TMS.

Eight of my Mac OS X machines found around 100 "viruses" this morning during the daily cron jobs. They were each quarantined. But these could not all possibly be Heuristic.Trojan.SusPacked.TMS. Many were found here:

/Library/Internet Plug-Ins/Silverlight.plugin/Contents/MacOS/

And here:

/System/Library/CoreServices/.diagnostics
/System/Library/Frameworks/Python.framework/Versions/

Then two odd files:

/System/Library/Java/Support/VisualVM.bundle/Contents/Home/platform11/lib/nbexec.dll
/System/Library/CoreServices/boot.efi

It's the same on all machines. I hope someone who develops these virus definitions reads this.

Matthew

Same here. Windows 2000, 2003, 2008, 2008 R2 servers, all affected.
Most files are reported as "Heuristic.Trojan.SusPacked.TMS", and it tries to unload all DLL from memory, including critical system/kernel ones, obviously crashing the system.
Crashed one of our server last night, but fortunately, as we don't use quarantine, a simple hardware reboot fixed the issue.
But we had to disable the antivirus on all of our servers to avoid such behavior !
Really annoying.

If you have reported a false positive to Clam, they will usually fix it within a couple of days. For a false positve that is not yet fixed, you can exclude the affected file from ClamWin scans via the Confiuration menu, Filters.

If you have more than one detection for the same virus, it is likely to be a false positive.

When using Report Only as the infected file option, you may also want to uncheck the General configuration option to Unload infected programs from memory.

Regards,

Well, yes...but the large number and variety of false positives leads me to suspect an error in the virus definition that was just committed to the database. I've turned it off instead of spending time excluding core OS files.

Of our 4 servers running clamav, the first one that scans for the day threw lots and lots of reports from files all over the server.
This included files of clamav itself as well as windows files.

This server is a 3 week old (Oct 26) install of windows server 2008 and clamav has been running since October 29th.
Everything has been quiet from this server until this evening - BANG!

ALSO

If (as a test) I scan mysql-5.1.51-winx64.msi with clamav - it reports 'infected with Heuristic.Trojan.SusPacket. TMS FOUND'

However, if I run the file through the MD5 hash calculator, the checksum matches the published signature proving thhat it has not been
modified/infected.

Seems to me that this virus definition download is going to be causing a whole lot of grief!
Looks like the default clamav install is set to report only - phew!

There was a bug in 0.96.2 release which is fixed in 0.96.4 released today. Please download and install the update:
https://sourceforge.net/projects/clamwin/files/clamwin/0.96.4/clamwin-0.96.4-setup-nodb.exe/download