ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
ClamWin Free Antivirus Forum Index » Virus Scanner
Reply to topic
Is this perhaps a false detection?
Marc W2


Joined: 14 Nov 2013
Posts: 0
Post Posted: Thu Nov 14, 2013 5:31 pm Reply with quote
On my second windows 2000 machine (I have got two) I get this message:


C:\WINNT\$NtServicePackUninstall$\ndis.sys: Win.Trojan.Agent-272207 FOUND
C:\WINNT\$NtServicePackUninstall$\tcpip.sys: Win.Trojan.Virtumonde-259 FOUND

If I look up Virtumonde, according to the documentation, it should produce fake virus detected messages, directing me to site where I should buy anti virus. Nevertheless I do not have this problem. Could this be a so called false negative?

What should I do? I have deleted those files. I am presently running a full system scan again.
View user's profileSend private message
Marc W2


Joined: 14 Nov 2013
Posts: 0
Post Posted: Thu Nov 14, 2013 5:37 pm Reply with quote
I think I should say false positive not false negative right??

Anyway I mean there is a detection for a coincidental match of a bitcode pattern but actually no problem.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 9
Location: USA
Post Posted: Thu Nov 14, 2013 6:05 pm Reply with quote
Yes, a false positive is when something is wrongly detected as a virus. A false negative detection is when something is not detected and it should be.

Anyway, your detections are probably false (Virtumonde doesn't seem to be that active now), but you should upload each one to either Jotti or Virus Total to be scanned by multiple AV programs, including the Clam AV scanning engine used by ClamWin. Look for at least a couple of detections by quality AVs for verification. I like to see at least a couple of these AVs detect something: Avira AntiVir, Bitdefender, Eset Nod32, Kaspersky, or Sophos. Avast, Fortinet, and Microsoft are also pretty good. Microsoft seldom gets a false positive. If a virus file is very new, it may not be detected by very many AVs until it has been around for a couple of days, so maybe a detection of only one of quality AV would be sufficient then. The AV service will tell you when they have last scanned a file.

You should submit all false positive detections to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web so they can change the signature. There is one link for false positive submissions and another link for undetected virus submission.

Thank you for using ClamWin!

Regards,
View user's profileSend private message
Marc W2


Joined: 14 Nov 2013
Posts: 0
Post Posted: Sat Nov 16, 2013 8:27 pm Reply with quote
Thank you. I already removed the file, but the next time I will do what you suggested and improve the clamav definitions.
View user's profileSend private message
Is this perhaps a false detection?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
ClamWin Free Antivirus Forum Index » Virus Scanner
 Reply to topic