I have updated my application and updated the virus DB, and I am still getting false positive hits on chrome.dll. Is there a hotfix or exception list I can add chrome.dll to in order to prevent this?

Also, on another note. I've started having some FLV (downloads from Youtube) be detected as infected. Strange stuff lately..

It's a good idea to check all files with Jotti or Virus Total before you run them. You can exclude directories or files from ClamWin scans in the Filters tab, exclude matching filenames. Check the Help file for more info.

Regards,

These False Positives are popping up again. Is there a way to ignore these files while the virus definitions get updated? I freak out when I see the ***VIRUS DETECTED*** email every morning

Go to the ClamWin configurations menu via right click on the system tray icon. From the menu, select Configure ClamWin, filters, double click the New Items box between Alphabetical and X, insert the filename.extension or the entire listing from your directory, double click the New Items box again for another file or OK to quit.

This will exclude the filename and extension from ClamWin scheduled scans. A scan of the individual file will still detect a virus however.

Regards,

To report that a fresh download 0f 0.97.4 is giving false positives with a fresh Chrome install 18.0.1025.168 still gives a false positive for chrome.dll - W32.Virut.Gen.D-148 FOUND

Report the false positive to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web. Be sure to select the false positive option. Clam AV should either whitelist the file or fix their signature within a few days. In the meantime, you can whitelist the file in ClamWin's filters as described above.

Regards,

I tried to report the false positive of chrome but was told "This file is not detected by ClamAV. Please update your cvd before reporting..."
Everything is up to date however.

Every morning I get five or six emails from the same machines because of "\Google\Chrome\Application\18.0.1025.162\chrome.dll: W32.Virut.Gen.D-148 FOUND"

I've added an exclusion to the directory and even the specific file... yet every morning I get more email.

Any ideas?

Have you verified the file is really clean by scanning it with the Jotti or Virus Total online scanning services? Also, have you updated to the latest version of ClamWin (V.97.4), and are your signatures current? Are the detections always on the same machines? What about scanning the same file on another undetected machine?

Regards,

It's too big for jotti or virus total. I had norton's online checker look over the whole hard drive and it said I was fine. I then told clam to check the chrome.dll file and it didn't like it. I'm running clamwin v.97.4 and clam sentinel 1.19 (both latest) and have updated my defs. Detections are on the same five machines but a couple of them - once I added the file to the exclusion filter actually stopped sending emails. The others I've added the complete path and file name, path and *, path and *.* - I still get emails.

I copied the file to another machine that didn't have chrome installed and told clam to scan and it doesn't like the file either.

Hmmm.....

Send email to luca at clamav dot net and ask for instructions on submitting a file that is too large for the Clam submission interface.

There have been some false positives lately on Chrome after the recent security patches, which turns it into a brand new fle. So Clam's past whitelisting does not help. They will need the new file.

Regards,

Sent the email and file. He said the file is not detected by ClamAV so he can't do anything about it.

If it is unchecked then why do I get a dozen email each morning from Clam saying it's a virus?
Why can't I exclude it?

any ideas?

Once in a while, there may be a ClamWin detection that is not detected by Clam AV or vice-versa. The reason is usually because the user has an old version of ClamWin. Since you are using ClamWin version .97.4, that is not the problem here. Is this a ClamWin detection (infected file) or a Clam Sentinel detection (suspicious file)? Clam AV can do nothing for you if it is a suspicious file--the only way to fix that is by whitelisting the file in Clam Sentinel's advanced settings, paths or files not scanned. Sentinel has its own heuristic monitor for suspicious file detection, and it will detect some clean .dll files as suspicious and quarantine them. If this is the case, Google may rebuild the file as needed, so go the whitelist route in Clam Sentinel.

Additionally, I saw some internal Clam AV email re: the Google false positives. They said that Clam AV islooking to it.

Regards,

Being new to the clam environment I was unaware that Sentinel had an exclusion area. I will try that on Monday. Thank you VERY much GuitarBob.

Great advice indeed! I thought that clamwin did all the work and didn't give sentinel enough credit.

I will post how it goes on Tuesday. Monday I'll set the exclusion on Sentinel and delete a few dozen emails from over the weekend.

Thanks again,
- Don

p.s. - The Clam family has saved our school district a ton of money. Thanks!

I'm glad Clam and related programs have helped you, Don. Clam AV, ClamWin, and Clam Sentinel are all small efforts compared to the strictly commercial AV programs. Clam does not have a large number of people preparing virus signatures, so its signature database is not a large one, although it does have over a million virus signatures. Keep it updated often, and run an occasional scan on your Windows machines with Malwarebytes Free (general malware) and Kaspersky's TDSSKiller (antirootkit) for extra protection.

Thanks for using the products.

Regards,

My ClamWin is reporting:



as well. I had not yet the time to look into this now (probably it's related to the earlier problem), so just for having this documented.

Also that file normally is too large in size for some online meta virus scanners, https://www.metascan-online.com/ allows up to 40 mb but sometimes their site does not work (and it requires javascript which I feel is counter-productive in a sensitive area).

Results: https://www.metascan-online.com/results/nsz64xg64br5850iu0fn1rwbkiinset0/cached

md5: c7d202b4da7c4bf77e9d2d85c0bfcfd3 *chrome.dll