ClamWin Free Antivirus :: View topic

Posted: Wed Feb 23, 2011 4:14 am

Disktective, freeware from https://www.disktective.com/

My local clamwin says:
D:\data\code\hardware\disk\Disktec\disktective.exe: Trojan.Agent.ND-7 FOUND

From https://www.virustotal.com :

Antivirus Version Last Update Result
AhnLab-V3 2011.02.14.02 2011.02.14 -
AntiVir 7.11.3.166 2011.02.21 -
Antiy-AVL 2.0.3.7 2011.02.19 -
Avast 4.8.1351.0 2011.02.20 -
Avast5 5.0.677.0 2011.02.20 -
AVG 10.0.0.1190 2011.02.20 -
BitDefender 7.2 2011.02.21 -
CAT-QuickHeal 11.00 2011.02.21 (Suspicious) - DNAScan
ClamAV 0.96.4.0 2011.02.21 PUA.Packed.ASPack
Commtouch 5.2.11.5 2011.02.20 -
Comodo 7757 2011.02.21 -
DrWeb 5.0.2.03300 2011.02.21 -
Emsisoft 5.1.0.2 2011.02.21 -
eSafe 7.0.17.0 2011.02.17 -
eTrust-Vet 36.1.8173 2011.02.21 -
F-Prot 4.6.2.117 2011.02.20 -
F-Secure 9.0.16160.0 2011.02.21 -
Fortinet 4.2.254.0 2011.02.21 -
GData 21 2011.02.21 -
Ikarus T3.1.1.97.0 2011.02.21 -
Jiangmin 13.0.900 2011.02.21 -
K7AntiVirus 9.87.3913 2011.02.21 -
Kaspersky 7.0.0.125 2011.02.21 -
McAfee 5.400.0.1158 2011.02.21 -
McAfee-GW-Edition 2010.1C 2011.02.21 -
Microsoft 1.6502 2011.02.21 -
NOD32 5891 2011.02.20 -
Norman 6.07.03 2011.02.20 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.02.20 -
PCTools 7.0.3.5 2011.02.21 -
Prevx 3.0 2011.02.21 -
Rising 23.45.04.06 2011.02.18 -
Sophos 4.61.0 2011.02.21 -
SUPERAntiSpyware 4.40.0.1006 2011.02.21 -
Symantec 20101.3.0.103 2011.02.21 -
TheHacker 6.7.0.1.134 2011.02.21 -
TrendMicro 9.200.0.1012 2011.02.21 -
TrendMicro-HouseCall 9.200.0.1012 2011.02.21 -
VBA32 3.12.14.3 2011.02.21 -
VIPRE 8490 2011.02.21 -
ViRobot 2011.2.21.4321 2011.02.21 -
VirusBuster 13.6.210.1 2011.02.20 -

Posted: Wed Feb 23, 2011 4:37 pm

A PUA detection on ClamAv/ClamWin is not an indication of a virus. PUA detection is optionally selected by the user, and it is just informative--nothing else. What the PUA detection indicates is that the file is packed with a packer frequently used to pack/obfuscate/hide malware. There are also PUA signatures for malware tools, scripts, etc. Because of this, Clam AV will not adjust/correct/drop a PUA signature.

I notice that the PUA detection is a little bit out of favor now--I don't see it as often as I used to among AVs.

If the detection bothers you, you can exclude the filename.extension from ClamWin's scans or delete the PUA selection in the advanced tab.

Regards,

Posted: Sat Feb 26, 2011 5:58 pm

The PUA is detected by the online multi-virus-detection-program sites.
My local copy of ClamWin, on the disktec.zip I downloaded in August 2010, instead says:

D:\data\code\hardware\disk\Disktec\disktective.exe: Trojan.Agent.ND-7 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 905166
Engine version: 0.97
Scanned directories: 1
Scanned files: 4
Infected files: 1

Data scanned: 0.64 MB
Data read: 0.50 MB (ratio 1.29:1)
Time: 8.500 sec (0 m 8 s)

BUT, on a fresh download today, it says:

----------- SCAN SUMMARY -----------
Known viruses: 905166
Engine version: 0.97
Scanned directories: 0
Scanned files: 1
Infected files: 0

Data scanned: 1.02 MB
Data read: 0.50 MB (ratio 2.02:1)
Time: 3.453 sec (0 m 3 s)

--------------------------------------
Completed
--------------------------------------

Posted: Sat Feb 26, 2011 7:58 pm

The online scanners probably have PUA detection enabled on Clam--the average user probably does not need PUA enabled, as it could scare them needlessly. Since you had no detection on the last scan, it looks like maybe a false positive was corrected.

Always keep ClamWin updated to the latest engine, as older engines may register false positives when they can't completely process an enhanced signature, and each new version has additonal enhanced signatures.

Regards,