On our Windows 2000 Server where ClamWin was just installed, I'm getting:

C:\Program Files\Resource Kit\whoami.exe: Win.Trojan.Agent-309443 FOUND

E:\RemoteInstall\Setup\english\GX270\ZWinPE\i386\narrator.ex_: Win.Trojan.Kakavex FOUND
(this is in a RIS install area for Dell GX270)

Can this be confirmed as false positives? Any more info needed?

Thanks!

Mike

Hello Mike:

I can confirm whoami.exe as a false positive (SHA256: 2d8d557e4bae65be26eea587fe7fedffb8c94d1ac864087a1984962e909bacb1): https://www.virustotal.com/en/file/2d8d557e4bae65be26eea587fe7fedffb8c94d1ac864087a1984962e909bacb1/analysis/

Upload narrator.exe to Jotti or VirusTotal. If Clam is the only engine to alert on the file it is likely a FP.

Please upload the file(s) as a FP to Clam AV who makes the signatures for ClamWin: https://www.clamav.net/lang/en/sendvirus/

Thank you!

The best way to confirm a detection as either a real infection or a false positive detection is to scan it with multiple AV programs. You can do this on line at either the Jotti or Virus Total web sites. If you need help finding them, visit the ClamWin Antimalware page and look for the links under File Verification. Consider both the number and quality of detecting AVs. I like to see at least 2 of these 5 AVs detect an infection before I believe it: Avira AntiVir, Bit Defender, Eset Nod32, Kaspersky, and Sophos. The AVs do pretty well at detecting Windows PE viruses, but they don't do so well at detecting other stuff--like viruses in Office files, HTML files, PDF files, etc., so I will believe an infection for them if only 1 of my "trigger" AVs detect something.

Regards,

It is a bit tricky finding AV packages (or anything else for that matter) that still work on Windows 2000 - good to see ClamWin goes way back; we had Symantec for a while, but our license has not been renewed AFAIK.

I'll try uploading the other "suspicious" one to Virus Total to see what it finds.

Thanks all!

Mike:

I came to ClamWin myself when the AVs dropped support for Win 98SE back in 2006, so I know the problem.

By the way, check out Clam Sentinel at https://sourceforge.net/projects/clamsentinel/ on the web. It is a separate GPL open source project, but it lets users of Win 98 and newer computers (tested up through Windows 7) use ClamWin as a resident scanner as files are added to, copied, or modified on their computer. It also has its own heuristic engine to detect malware in files for which there is no ClamWin signature. It is particularly good at detecting downloaded files before they are executed. ClamWin must be installed before Clam Sentinel. Clam Sentinel is simple and easy, with all menus available via its system tray icon.

Regards,