Feel free to share your results. Remember, that Trojan.agent is just a name and could mean different things with each AV. Also, I think ClamAV's PUP/PUA is a little overzealous compared to other AV's, too.

A look at the submission date on Virus Total will help ID a false positive. If it was a week ago, then more than 1 AV should detect it. If it was several weeks ago, then several AVs should detect it.

When I was working malware signatures for Clam AV, I liked to see at least 2 of these AVs detect something: Avira, Bitdefender, Nod32, Kaspersky, and Sophos. All of them use their own scan engine, have a number of commercial users, and have a world-wide staff of malware analysts.

Regards,

Another week, another list of false positives, the usual suspects declared dodgy but as its another week all yet again with different Virus names. All of these are within 'installation' sets of genuine programs. So I tried the suggestion above.

\hMailserver\hMailServer-5.4.2-B1964.exe: Win.Adware.Eorezo-528 FOUND
\hMailserver\hMailServer-5.6.4-B2283.exe: Win.Adware.Eorezo-528 FOUND
\HP CM1410 Printer Driver\CM1410Series_FN_Full_Solution\Setup\Core\Marketsplash\Marketsplash-setup.msi: Win.Trojan.Agent-971646 FOUND
\McAfee\MCPR.exe: Win.Trojan.Ramnit-8178 FOUND (this is a standalone McAfee Virus removal program)
\SpamAssassin\SpamAssassinForWindows-Setup34030.exe: Win.Trojan.Application-1470 FOUND

And so, as discussed, I set about checking them with Virustotal first to lookup up the TYPE of virus clam thinks these are (PUP's, PUA's or other). Waste of time. Virustotal reports 0/55...including Clam! (And yes, that was after a 'reanalyse').

example:
https://www.virustotal.com/en/file/527a9fb97be72980cd148f76dc1d6d31f811d75e36643b1be73e5a5a7052f678/analysis/1454235999/ ( - this is MarketSplash.msi)
https://www.virustotal.com/en/file/2204752c635e00b50a0e557597a67852e8e8f4388aa43884c68a98ae76f4fb29/analysis/1454237428/ (- this is SpamassassinForWindows)
(all five had the same results)

So I ran a Virus Update on my system to ensure the latest definitions are in (despite them being only 8 hours since the last download) and then scanned the files again. And still my Clam detects them.

The problem being here that whatever Virustotal uses to identify the results of a Clam detection (contrary to all other AV solutions), it doesnt reflect the up-to-date situation with the current definition releases. And consequently I cant get Virustotal to 'see' that Clam has got it wrong (nor look at what type it thinks it is), and therefore the theoretical practice of using Virustotal to get to the Clam definition writers to remove the FP is dead in the water.

So, what next? Well I have uploaded them using https://www.clamav.net/reports/fp to see if they get reverted.

This drive is scanned every night so we will see how responsive they are are removing FP's using this method alone.

Re: PUAs/PUPs: I don't know how Clam handles them now, but in the past you had to configure ClamWin to detect them via the command line, so unless you have done that, you are probably not detecting them with ClamWin. Many AVs still handle it like this--you have to configure the AV to detect PUA.

Some PUP/PUP will have a valid digital signature, and some AVs do not detect them because of this.

Best advice I can give is to look at the submission date on Virus Total--let that be your guide. The older something is, the more AVs should detect it. However...much of the malware is short-run and will perhaps not be detected by many AVs. Look at the AVs detecting in that case--you want to see something detected by a quality AV with global reach.

Regards,

In fact I would be surprised that PUA's are being detected too. In fact I just checked my Clamd log, and at startup it says:


Further more, I have no idea how to tell CLAMWIN to detect PUA's (as you suggest it should, Guitarbob) so its definitely not doing it on my say so. So neither my Clamwin or CLamd service should be doing so.

So this sort of flies against what RNRK said earlier:


If Clamd isnt loading PUA signatures (as per the log), and Clamwin has not been told to do PUA detections, and Clamwin was detecting (a false positive) with a virus signature that the VT analysis says Clam is saying (that particular detection earlier) is a PUA, there is a definite inconsistency somewhere and something is not making sense or being true.

Alch should have made a GUI option to opt-out of PUP/PUA signatures when ClamAV added them to their database. It seems he did not. I ill suggest this to Alch on the next beta testing (it's the only time we can actually talk to him in person).

Last Word I had on Clam AV PUAs was that they were not making them a default detection. There were just too many false positives on packers and installers--which can be used by both malware and goodware.

Here is the command line entry to put in the Advanced ClamWin tab to enable PUA detection: --detect-pua
That's 2 dashes followed by detect-pua.

I just can't see why anyone would want to detect Clam AV PUA, considering the poor PUA signatures they used to have. Maiybe tkheiy are better now. Anyway, let me know how this goes. PUAs are still around, so I think it will still work.

Regards,

That concurs with the general opinion above, where it is thought that no PUA detections are enabled. And seemingly for good reason. (Clam definitions dont need any more reasons to increase its potential of raising false positives. )

Ok, 2 days on and I checked Virustotal to see what it now thinks of one of the above files. I chose the SpamassassinForWindows installation. https://www.virustotal.com/en/file/2204752c635e00b50a0e557597a67852e8e8f4388aa43884c68a98ae76f4fb29/analysis/1454433757/

NOW Virustotal is saying that CLAMAV detects it as a Win.Trojan.Application-1470 (with defs dated 02-feb-2016/today) just as Clam detects over night. Note: VT does NOT say it is any kind of PUA.

I made a point of not sending the other file. Marketsplash.msi, for re-analysis so that we can now see if reporting to Virustotal really does make the difference. (If it does I expect this spamassassin program to be immunised and marketsplash to still be falsely detected; The idea being that if I dont reanalyse it, and therefore VT still has it on file as being clean, then it wont be fed back to Clam for rectifying). Or if it doesnt make a difference, and both files get their false positives rectified together, then it shows that simply reporting it via the ClamAV website is the only method they respond to....or not (as the case may be).

(Another night, another scan, and another additional False Positive: OpenOfficePortable\OpenOfficePortable.exe: Win.Trojan.Ramnit-8177 FOUND. And it seems that I am not the only one, someone else already told VT about it: https://www.virustotal.com/en/file/26ec327fbb3de17b4a0c2c0c5b768ffef2b861218f6e2bdb6c3499886bdd9787/analysis/)

That one was detected as a PUA, according to the detailed report. I would suggest for all future false positives to do one of the following:

1. Send the file along with the virustotal report to the ClamAV false positive team here: https://www.clamav.net/contact

2. Create a false positive file yourself by using Bob's whitelist instructions. Alternatively, and this might get a response from the ClamAV team much faster, you may send the false positive file to the ClamAV support team via the link above.

Detected as a PUA it might be, but its was still wrong to do so (it isnt a PUA by anu of the descriptions given by Clam thensleves: https://www.clamav.net/documents/potentially-unwanted-applications-pua - it is purely EXE zip file of openoffice standalone/portable). It has already been reported to Clam as afalse posiutive and I expect it to be 'removed' as such in due course. The only question is when.

For the record, Im not reporting these here to vent off or rant about how shit Clam is for their false positives or lack of detection of real threats (Ive done that in other threads and earlier here, and have no doubts that these false positives are going to continue to happen. Of course I am already aware of how to immunise my files from FP's but that wouldnt allow correct analysis of the worthiness of this AV software so I choose not to.....for now). The point of me reporting these latest reports is to show a timeline on the actions and reactions of Clam in response to these so that we can see what is to be expected and maybe determine the best course of action (if there is a 'best' one). The idea is that it gives other readers some solidarity and perhaps something to consider when they read the reports. (I wont be doing every FP I encounter... because otherwise this forum would get full or I would get banned. )

I just wanted to say I am finding similar results in a few of my downloaded exe's.

c:\Users\Downloads\openvpn-install-2.3.8-I601-x86_64.exe: Win.Trojan.Ramnit-8178 FOUND
c:\Users\Downloads\winscp576setup.exe: Win.Trojan.Application-1470 FOUND
c:\Program Files\Common Files\LogiShrd\Unifying\UnifyingUnInstaller.exe: Win.Trojan.Agent-971646 FOUND
c:\Program Files\TAP-Windows\Uninstall.exe: Win.Trojan.Ramnit-8178 FOUND


I am not convinced they are false positives as they all target critical spying vectors.

Peace,
Neo

2 of those files were marked with the same infected name. The static signatures can't repeat the same name, otherwise it would cause a database issue. I am guessing that this is coming from some type of generic or bytecode signature.

I do not know all those files, but I do know that OpenVPN is a legit VPN client. It is open-source, too. I would suggest you send those files to virustotal to see if they are legit or not.

UPDATE: 8 days later and they are all still being detected every night. I have re-uploaded them to ClamAV falsepositive report page.

Monitoring will continue...

(They really are sh1te, arent they. And there isnt even a place to vent my disapointment with them as they dont seem to offer an easily available forum).