Hi All

I usually submit false positive files to Clamav, but I got this
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\44520521247e7db9b7b7fd446ae73902\System.Design.ni.dll: Win.Trojan.Agent-1702043 FOUND

The file doesn't even exist.

Should I exclude the whole windows\assembly folder?

The other thing. It has been lots of false positives lately and submissions don't seem to get resolved. I usually check files with Virustotal and almost always the only Clamav reports virus and other 20 anti-viruses are not.

Thanks

You shouldn't exclude/whitelist an entire folder in ClamWin--that would greatly lessen security.

Look in the ClamWin quarantine folder--the file has probably been quarantined there with an "infected" placed on the end. I would just whitelist filename.extension.

Let us know if this is still a problem for you.

Since ClamWin uses the Clam AV scan engine/signatures, we can't do much about false positives. Virus Total will send a copy of false positives to the scan engine that falsely detects. You may/may not speed up a signature correction if you also send the false positive file to Clam AV--it's worth a try.

Regards,

Lately, I have been noticing lots of signatures being dropped in the ClamAV database. Once update had over 800 signatures dropped! I don't know why so many are being dropped at one time, and I can't imagine they are all false positives. Maybe they are moving most of them to generic signatures to help keep the database shrunk down? I suppose if a signature is 10 years old, there is not much point in keeping it anymore either.

Anyways, the only thing we can recommend is to just keep submitting it until they fix it. There isn't really anything we can do about it here as we don't have any contact with ClamAV.

If you are a bit of a nerd with MD5 hashing software, you can use Notepad to prepare your own false positive signature for a file that will be excluded from future scans. Here is the format:

MD5hash:filesize:ID#_filenamenoexetsionn

Example:
8fb6c6e66968ccad84ade2df9fea3a9a:18330984:7728603_excel

For the ID#, just use the date--like 093016. For filesize use total bytes of the file. Don't forget the underscore between ID # and filename. Be sure to include the 2 colons as shown. Do not use an extension--just the filename. Name the Notepad file something.fp--like whitelist.fp and save it in the ClamWin db folder. Put each false positive signature on a separate line.

This is the same thing that Clam AV would do if they did not want to delete their original signature because it does detect some malware.

Regards,

My ClamWin is only setup to report so file is not there for sure. Windows/assembly folder is cache folder. When I use windows explorer it does not show that file at all.

Any other ideas?

If you are talking about the directory C:/Windows/Assembly, then this is not a cache folder. This is the folder responsible for managing .NET assemblies.

As to why you are getting a detection to a file that doesn't exist here, do you have hidden file/folders enabled on your system? If so, try disabling it and see if it shows up. To do this, go to control panel, folder explorer options, then under the view tab and uncheck the following: Hide empty drives, Hide extensions for unknown file types, Hide folder merge conflicts (Windows 10), and hide protected operating system files. Then make sure "show hidden files, folders and drives" is checked.

Also make sure your database is up to date with the latest signatures. As i said before, they have been fixing lots of false positives lately, so give it sometime and I am sure this will get fixed eventually.

I would set the ClamWin infected file option to Quarantine to capture the file. Then you could scan the capture file on Virus Total and whitelist it if it is a false positive detection. You can use the Qrecover program in the ClamWin\bin folder to restore the file after whitelisting it.

Regards,

I've been getting the same warning. I think it is probably a real trojan.

After running Clamwin and putting the infected file in quarantine, I came back later and ran it again and found a new file, only 1K, had been created in its place and was duly moved to the quarantine folder. If I go to the Programs and features control panel and select the .NET framework I can repair the .NET install, which will replace the file that was removed by Clamwin. Running Clamwin immediately afterwards shows no threats with the new file. Wait a little while and run again and the file is found to be infected. So something is apparently modifying this file. Unfortunately there is no indication of the source of the modifications (no other threats found).

Any ideas where to go next?

No it's not a virus. I forgot to post it. You can map that forlder with the following command. SUBST x: C:\Windows\assembly. You will get a mapped drive and that you can see the actual ddl file. I submitted it to virustotal.com and reanalyzed it. The only antivirus that reports the file to be a virus is ClamAV.

I saw that Bob was showing on how to create your own signature so may try to do it. If there is a detailed guide that would nice.

Thanks

Here is a link to a blog about creating your own signatures with Clam AV: https://blog.adamsweet.org/?p=250 on the web. Check the Clam AV web pages for other info. Actually, this link was on a Clam AV web page. The HDB signature is probably the best signature for an average user.

Regards,

Be sure to submit that file to ClamAV so they can apply it to their database so that others can benefit from it, too.

Already did.