Hello,
I'd like to inform you that ClamAV's DB is currently detecting 5 NSIS compression stubs as viruses or trojans.

This is a huge problem for developers who use NSIS to distribute / install their software, as you can imagine.

Here are the scans of 5 compression stubs I found with ClamAV false positives:
bzip2-ansi: https://www.virustotal.com/en/file/1b77a584fbde1a4e0be47a63deb3801c4e0fcb3330eb0c8b32aed664e7fbf2a3/analysis/1410999357/
bzip2-unicode: https://www.virustotal.com/en/file/12e2e84adb4db08fcf3a41c589b538fc3d30c2409928445dfb51301813a886f7/analysis/1410999462/
zlib-solid-ansi: https://www.virustotal.com/en/file/a280044e4e5d07163482cdbd51a014f3560dd3e866ec2d3e6cc502f71c1dbc27/analysis/
zlib-ansi: https://www.virustotal.com/en/file/1ccc324136906c26fc076cc76a97d4786a84e3d4933cbb779d7fdedba5841b9e/analysis/1411000860/
lzma-solid-ansi: https://www.virustotal.com/en/file/3ad6550549ac52325fe0be0cf1bdb847d15260b71b9890847df75aa12464c0df/analysis/

Here's a link to download a zip containing the falsely classified files:
https://www.sendspace.com/file/78tln9

I kindly ask that you handle this issue as soon as possible, as it is already causing issues for developers.

Thank you & take care

ClamWin uses the scan engine and virus signatures provided by the Clam AV project. The ClamWin project adds a graphical user interface to the Clam AV source code for Linux and ports it over to Windows. It has no sigmaker staff or signature update capability. All false positives should be reported to Clam AV at https://www.clamav.net/fp on the web so they can be corrected. In the meantime, I suggest that you whitelist the falsely detected filenames in the ClamWin tools, preferences, filters, exclude matching filenames option.

It might help speed up false positive correction if you also scan the falsely-detected files with the Virus Total online scanning service, which will also report them to Clam AV.

Thank you for using ClamWin.

Regards,

Thanks for the reply, Bob

I've been scanning the false positives on Virus Total for awhile now, and that seems to have no effect.

I've also submitted some of the false positives to ClamAV via their form @ https://www.clamav.net/fp, and this also seems to have no effect.

I was hoping you guys would be more closely affiliated with ClamAV's DB maintenance staff and tell them directly of these false positives, which I think are quite serious

ClamWin does not have a close relationship with the Clam AV project like it did when the original Clam AV team ran things. With the various changes in ownership, it has gone away. Clam makes automated virus signatures from Virus Total submissions, but as far as I know, all false positives have to be worked manually--that is why I suggested submission to Virus Total. Unfortunately, there are no full-time sigmakers devoted to Clam--they are reserved for the commercial side, so it might take a while to correct the false positives.

For the present, whitelist the false positive files as I suggested. You could also make a false positive signature yourself with Notepad and put it in the ClamWin DB folder. Put each FP signature on a separate line. Name the file sigfile.fp. A FP signature should have the following form:

MD5hash:filesize:SID#_filenamenoextn (Just use the filename--no extension is required).


Example:
8fb6c6e66968ccad84ade2df9fea3a9a:18330984:7728603_excel

For the submission ID (SID#), just give it the date--each signature with the same date should have its own sequence no.--like 091714xx (xx=01, 02, 03, etc.)

Regards,

Great,
Thank you, Bob

Very helpful