Well actually, Cisco owns ClamAV, so it should be their responsibility to take over. I have seen some new guys publish signatures in the past 6 months, as well. Alain is the head of the ClamAV sig team and Shaun usually works on the FP side of ClamAV, but ever since VT did their FP thing, I haven't seen him push any updates to fix FPs.

So I guess, we should be complaining the Cisco to take better care of their product, especially considering they are a big time commercial company and they are the ones who bought it out.

And also, Oracle does not own ClamWin. Where did you read this?

I didnt. I just remember you guys somewhere saying someone owning something somewhere after buying them. (So its Clam and Cisco). I was close.

The "volunteers" are all Cisco employees now--there are no more open source reps. Since Clam is not a money-making effort, it gets Cisco employee attention when they have the time for it.

Regards,

As long as ClamAV, ClamWin, and Snort remain open-source, I will be happy. I wonder what they have in-stock for 1.0, or whatever major update comes next.

By the way, has anyone been able to figure out how to get Snort to run on Windows?

Re: Snort on Win: I've given up using anything that requires the user to jump through hoops--Python, Ruby, or otherwise in order to install it. Lots of AVs now have some behavior blocking (to a greater or lesser degree), and that is sort of a substitute for IDS like Snort.

Regards,

UPDATE: Another night, another scan....but POSITIVE change.

Of the initial 5 FP's, (we know one was removed a couple of days ago leaving 4)....now over night only 1 remains:
D:\INSTALLATIONS\McAfee\MCPR.exe: Win.Trojan.Ramnit-8178 FOUND

Note: this, and the others that have now been rectified had NOT been uploaded and checked with Virustotal by me (I hadnt got round to it) so the removal of it seems to be purely down to me reporting them via the clam FP page.

(Took them 9 nine. Still leaves me scratching my head why this last one was left behind though. )

Hello,

Your poduct kill yourself, web-server IIS, and can kill Windows Server 20012 R2

https://www.virustotal.com/ru/file/f36e888de62f5ab6758cf9fb4f614dc4a45ee596d5d27358c581794d09435b27/analysis/1455268739/

Oh dear oh dear. Oh the irony! Sounds like the pattern for this definition is * (anything will match!)

I just tested and confirm that the last definition update does this (yesterdays defs didnt). Hope they dont take two weeks to fix this FP! Im turning off system drive scanning immediately. (Unbelievable!)

Probably either a new sigmaker at Clam AV or a lack of testing of signatures before release. When I worked there, I tested sigs on my own Windows system before release--since Clam did not have many important Windows apps on its false positive "farm". The could at least do that to catch some FPs.

There is some PYD malware, but I didn't use to see very much. Maybe you could whitelist .pyd in certain folders.

Regards,

If you look at his initial post you will see that it isnt just .PYD, many are DLL's. And whitelisting .DLL's is brainless (given that many viruses live in them) and .PYD's (given you have already said that there are some PYD malware).

I agree with you about the 'no testing' comment though. To be honest, I came to that conclusion about the sig makers a LONG time ago.

Database number 21360 had a large number of false positive fixes. Does the false positives still exist after that update?

Hello,

I have been using ClamWin for many years, and have gotten used to going to Virus total to detect occasional false positives.

Today, I was hit with such a long list of warnings that I couldn't believe it! If you don't mind, I will post the Log file here.

Sorry, the copy and paste did not go well, and I couldn't re-paste it! As you see, Trojan.Bancos-2115 is endlessly mentioned. Sorry about the mess. If this problem can't be fixed by the daily database update, I doubt if I will continue using ClamWIn.

I'm not angry, I'm just trying to communicate my feelings on this. Thanks. Bob P.


Scan Started Fri Feb 12 07:26:44 2016------------------------------------------------------------------------------- *** Scanning Programs in Computer Memory *** *** Memory Scan: using ToolHelp *** *** Scanned 28 processes - 356 modules *** *** Computer Memory Scan Completed ***C:\HP\KBD\msg.dll: Win.Trojan.Bancos-2115 FOUNDC:\HP\KBD\onl.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\TOAST.net\Accelerator\cx_core.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\TOAST.net\Accelerator\components\NOWImaging.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\bin\python23.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\_sre.pyd: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\_ssl.pyd: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\pythoncom23.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\shell.pyd: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\wxc.pyd: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\wxmsw24h.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\_bsddb.pyd: Win.Trojan.Bancos-2115 FOUNDC:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll: Win.Trojan.Bancos-2115 FOUNDC:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\HP\Digital Imaging\bin\hpqcxm08.dll: Win.Trojan.Bancos-2115 FOUNDC:\WINDOWS\system32\MFC71.DLL: Win.Trojan.Bancos-2115 FOUNDC:\WINDOWS\system32\ATL71.DLL: Win.Trojan.Bancos-2115 FOUNDC:\WINDOWS\system32\MSVCP71.dll: Win.Trojan.Bancos-2115 FOUNDC:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\diasymreader.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\gizmosc.pyd: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\lib\htmlc.pyd: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\bin\libclamav.dll: Win.Trojan.Bancos-2115 FOUNDC:\Program Files\ClamWin\bin\libclamav_llvm.dll: Win.Trojan.Bancos-2115 FOUND----------- SCAN SUMMARY -----------Known viruses: 4256761Engine version: 0.97.8Scanned directories: 0Scanned files: 384Infected files: 23Data scanned: 134.68 MBData read: 0.00 MB (ratio 0.00:1)Time: 97.094 sec (1 m 37 s)

The following files are Digitally Signed by Microsoft Corporation and may have been incorrectly detected as viruses:C:\WINDOWS\system32\ntdll.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\winsrv.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\KERNEL32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\USER32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\RPCRT4.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\msvcrt.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\CRYPT32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\WINSTA.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\SHELL32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\SHLWAPI.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\ole32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\OLEAUT32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\CLBCATQ.DLL: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDc:\windows\system32\mstlsapi.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDc:\windows\system32\ACTIVEDS.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDc:\windows\system32\ATL.DLL: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\WININET.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDc:\windows\system32\qmgr.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\netshell.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\eappcfg.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDc:\windows\system32\certcli.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDc:\windows\system32\wscsvc.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\Wbem\wbemcore.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\Wbem\esscli.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\Wbem\FastProx.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\comsvcs.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\wbem\wmiprvsd.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\upnp.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\netcfgx.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\wbem\wbemsvc.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\actxprxy.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\BROWSEUI.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\SHDOCVW.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\urlmon.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\webcheck.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\DSOUND.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\NETUI1.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\Program Files\Common Files\System\OLE DB\oledb32.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\System32\msjet40.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\MSVCR100_CLR0400.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\dbghelp.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDC:\WINDOWS\system32\RICHED20.dll: [Win.Trojan.Bancos-2115] FALSE POSITIVE FOUNDPlease do not be alarmed and help us by submitting the files identified above as FALSE POSITIVE at ............

Well I just did a memory scan on my system and I have no Win.Trojan.Bancos-2115 FP. Can you confirm your ClamWin is up-to-date (I assume it is but you never know)?

I have just done another virus database update at about 7 pm Friday Feb 12,(eastern time)..
Now, there are no problems. (I did the previous update earlier in the day, Friday Feb. 12, 2016).

This is a "Programs in memory" scan, which is what I most often do. But around once a week, I do a full scan.That one with all the errors was also a memory scan. I am using Windows XP SP3 Home on this machine, And I am on dial-up. From my many years on dial-up I find that I just about never get a virus or malware, but I still check the memory every single time I go offline.

----------- SCAN SUMMARY -----------
Known viruses: 4257432
Engine version: 0.97.8
Scanned directories: 0
Scanned files: 382
Infected files: 0

Data scanned: 134.58 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 89.844 sec (1 m 29 s)

Database number 21360 had a lot of FP fixes, so I assume it was fixed then and that was released in the morning of today.