I have a 1.07 GB home movie .zip file. The zip file comprises a single 5 GB .avi file. Every time ClamWin version 0.88.2.3 scans this file, it give me a false positive for virus infection. I'm running MS Windows 2000 Professional SP4. I've tried adjusting the size of the archive scanning features in ClamWin, but that does not seem to have any effect on whether the file is reported as a virus or not.

I can turn off the scan archives option to get around this issue, but I'd prefer to be able to leave .zip file scanning on.

Hi,

Have you tried scanning the non-archived 5 GB file ? Would that still produce the false positive ?

what is the virus found? zip.oversized or something? clamav engine spots this on some large zips

Here are the answers to your questions. The name of the infection that clamwin shows is suspect.zip. 0.88.2 shows that the file is infected in .zip format, but not in extracted format.

The new 0.88.3 shows some interesting behavior. When the .zip is scanned and the scan in archives configuration option is checked, the result is suspect.zip. When the .zip is scanned and the scan in archives configuration option is not checked, the result is no infection present. When the unzipped file is scanned, the result is no infection present. Below are the report results of my testing along with a brief notation about which condition was tested.

Thank,

Vaughn


0.88.2 and 0.88.3 -- When I scan the extracted file, I get a no infection present notification. I'm pasting it below.

--------------------------------------
Scan started: Tue Jul 11 12:16:33 2006


-- summary --
Known viruses: 61224
Engine version: 0.88.3
Scanned directories: 0
Scanned files: 1
Infected files: 0

Data scanned: 0.00 MB
Time: 9.253 sec (0 m 9 s)
--------------------------------------
Completed
--------------------------------------


0.88.2 -- When I scan the .zip version of the same file, I get a suspect.zip infection notification. I'm also pasting it below.

--------------------------------------
Scan started: Tue Jul 11 11:49:00 2006

F:/matt-katie-hotel.zip: Suspect.Zip FOUND

-- summary --
Known viruses: 61224
Engine version: 0.88.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 6.650 sec (0 m 6 s)



0.88.3 -- Scanning the .zip file with the new 0.88.3 version finds the file to be uninfected when scan in archives is unchecked. Here are the results from that scan.
--------------------------------------
Scan started: Tue Jul 11 12:18:31 2006


-- summary --
Known viruses: 61224
Engine version: 0.88.3
Scanned directories: 0
Scanned files: 1
Infected files: 0

Data scanned: 1105.52 MB
Time: 1704.410 sec (28 m 24 s)
--------------------------------------
Completed
--------------------------------------

0.88.3 -- The new version appears to still find infection when scan in archives is selected. Here are those results.
--------------------------------------
Scan started: Tue Jul 11 12:47:32 2006


F:\matt-katie-hotel.zip: Suspect.Zip FOUND
-- summary --
Known viruses: 61224
Engine version: 0.88.3
Scanned directories: 0
Scanned files: 1
Infected files: 1

Data scanned: 0.00 MB
Time: 6.709 sec (0 m 6 s)
--------------------------------------
Completed
--------------------------------------

This happened for me about the files of Symantec AntiVirus Corp. Ed. version 10. In zipped form there was complaint about Trojan.Aavirus. In uncompressed form no virus was detected. After I deleted the whole exclude list in Preferences, Filters, Exclude Matching Filenames, then the VIRSCAN9.DAT file was detected as contaminated with Trojan.Aavirus. A false alarm. Apparently on files in zipped form the exclude list, which contains *.DAT, is not effective. Finally the whole exclude list was restored.