Hi Guys,

I updated java on my server. ClamWin now shows this is a virus. Can you confirm it's a false positive?


Scan Started Mon Dec 08 09:18:41 2014
-------------------------------------------------------------------------------


C:\Program Files (x86)\Java\jre7\bin\javacpl.exe: Win.Trojan.Tufik-112 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3703830
Engine version: 0.98.4.1
Scanned directories: 35
Scanned files: 626
Infected files: 1

Not copied: 1
Data scanned: 134.32 MB
Data read: 121.09 MB (ratio 1.11:1)
Time: 52.625 sec (0 m 52 s)

--------------------------------------
Completed
--------------------------------------

Thanks,
Dara

The ClamWin team can not confirm either viruses or false positives. We use the scan engine and signatures provided by Clam AV. You can check files on the Virus Total (VT) online scanning service to see if they are infected or false positives. VT will scan a file with over 50 AV scanners--including Clam AV. If several other AVs besides Clam AV see an infection, it is probably infected. I like to see at least of these AVs verify an infection: Bitdefender, Avira AntiVir, Eset Nod 32, Kaspersky, or Sophos.

If a file is a false positive, you can upload it to Clam AV so they can correct their signature at https://www.clamav.net/contact.html on the web. There are different links for undetected malware and false positives. Choose the correct one.

Thank you for using ClamWin!

Regards,

Be sure to upload the virustotal report with the false positive submission to prove that it is a false positive. I notice they seem to take in more false positives that are uploaded with Virustotal then they do when they are not.

RRK: do you suppose Clam is now doing automatic false positive corrections based on Virus Total? I think not, but if so, they have done away with users!

Regards,

I ran into problems with it detecting every single old Java installer I hadn't been farked to get out of my temp folder as malware a few weeks ago, fwiw.

@Guitarbob: No. I think they use it as proof so make they make it a higher priority, when they get around to fixing false positives. I think the issue is, there is only one person who is working on false positives and Cisco does nothing about hiring more staff to work on it. Makes me wonder why they even wanted to buy our Sourcefire, to begin with, since they aren't even dedicated to open-source.

@Scendera: I know ClamSentinel has a habit of detecting almost every temp file as suspicious. I know some AVs mark older java programs as malware because of how unsecured they are/were. If that is not the case, you can upload the files to virustotal and ClamAV false positive support. Be sure to include the Virustotal report with the false positive sample.

The security firms buy out a smaller/weaker one when they run out of technology and the company they want to acquire has something the larger firm wants. In the case of Clam AV, I think Sourcefire wanted to get an antivirus firm for the infrastructure--the mirrors and the submission interface, although they are now old/dated. Cisco bought Sourcefire because they want(ed) to get into the government/agency market that Sourcefire has developed via the Snort intrusion detection software.

To avoid/prevent false positive detection with Clam Sentinel, stop it before downloading something, verify the downloaded file via Virus Total or another AV before running/installing it, and then if it is okay, install/run the program, and turn Clam Sentinel back on. The problem with Clam Sentinel false positives is usually due to sloppy programming by developers who use heavily-packed installation software that does not properly register itself with the Windows operating system--resulting in an installation (including DLLs) that looks like unprofessional, hurriedly prepared, obfuscated virus software that someone want to put on your system without telling the system much about it.

Regards,