C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND
C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND


Is this a false positive? Thanks everyone

It very well could be a false positive. The Clam AV scan engine/signatures we use are designed primarily for Linux email servers, where false positives on Windows files are not even considered. I have only seen 1 virus in the WinSxS folder in the 5 years I was at Clam AV. What does your other antivirus program say about this file? You should be using a real-time virus along with ClamWin, using ClamWin for a backup scanner.

Best way to tell is to upload the file to Virus Total at https://www.virustotal.com/#/home/upload on the web and see what about 60 other AVs say about it. I like to see at least 2 of these AVs detect something before I believe it: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos.

Thanks for using ClamWin!

Regards,

Wow thanks so much. Here is what the upload said for the other sites: basically only clamwin calls it a virus.

[/img]

so if clamwin is the only one finding it, do I just ignore?

I am quite sure they are false positives. I just had the same two files detected by Immunet, which uses Clam. You can't readily even upload these files to VirusTotal, since Windows does its best to deny access to them. There are ways around that, but I can't be bothered. I'm certain enough that they are FPs to take my chances.

If you have a false positive, you shouldn't ignore it. Since you scanned it on Virus Total and Clam AV was the only AV to detect it, Virus Total will tell Clam AV about it so they can correct their signature. Clam AV will eventually correct it (usually), but it will still be falsely detected on your computer. Here's what to do:

If the program was falsely quarantined by ClamWin, you need to restore it with the QRestore program in the ClamWin\bin directory. After restoring it, you need to exclude it from future scans by using Preferences, Filters, Exclude Matching filenames. Check the ClamWin Help file for information about restoring a file. Get back to us here if you need additional help restoring. You can occasionally check the file with Virus Total again to see when/if Clam AV has corrected their signature and delete the excluded file from ClamWin's Exclude Matching Filenames when it does.

Regards,

I'm using Immunet, which uses (in part) ClamAV. I've submitted both files to Immunet and uploaded them each to VirusTotal as well:

https://www.virustotal.com/en/file/ffeec8af2fcb27b713837c744057a6e0304529b4ea80427df2bd2414b6bd6309/analysis/1507511907/
https://www.virustotal.com/en/file/de42506fa988cbfd7e8184b875eb54160cd8043f72af94d59c1857493812154b/analysis/1507511913/

As a workaround, I excluded the entire "C:\Windows\WinSxS\Temp" and "C:\Windows\WinSxS\FileMaps" folders from Immunet. Overkill, yes, but I'm not a fan of FPs.

Yep I uploaded and submitted directly to ClamWin for their False Positives.

i too have windows 10.. i have win 10 pro 64-bit.

these two files i'm able to upload to virustotal.com and the only product finding this is Clamav engine.

i run eset smart security paid program
and malwarebytes premium paid program

since i can't email clamwin support directly i have to rely on these forums.

i was trying to email clamwin support directly to let them know it could be a false positive and to please correct it.

[quote="antec20"]

antec20 wrote:

i too have windows 10.. i have win 10 pro 64-bit.

antec20 added some more info:

forgot to mention this is using retail microsoft media creation tool to burn .iso to dvd-r disc.
and also, the retail win 10 pro 64-bit usb flash drive

this is using both the media creation tool multiple times to create new dvd-r discs and reformat/reinstall win 10 pro 64-bit retail

and just using the retail usb flash drive win 10 pro 64-bit multiple times.


i'd hate to think that microsoft media creation tool and retail usb flash drive win 10 pro 64bit carried a trojan of some kind.
anyways i hope this gets cleared up soon.

If Clam AV is the only scanner on Virus Total (or any other online scanner), it is about a 99.9% certainty that it is a false positive. Virus Total will inform Clam of the false positive, but it might speed things up at Clam AV if you report it also and reference the Virus Total scan.

I like to see at least 2 of these AVs detect malware in a file before I believe it: Avira, Bitdefender, Eset Nod 32, Kaspersky, and Sophos. They are all good AVs with a large user base, and they use their own scan engine (not an engine licensed from some other AV company). Keep in mind, however, that new malware might not be detected for a few days.

Regards,

I just checked both files anew on VirusTotal, and both are still being incorrectly detected as Win.Trojan.Emotet-6340301-0. But I guess it has only been two weeks.

Since ClamWin uses the Clam AV scan engine and virus signatures, you should send them all false positives at https://www.clamav.net/contact on the web. From this page you can upload a virus file that is undetected or a file that is falsely detected--click the correct option. It may take Clam AV a while to correct a false positive. Cisco now owns Clam AV, and since Clam AV is a free product, no one works on it full-time for signature preparation or signature correction.

Until Clam AV corrects a false positive, you can whitelist/exclude a file from detection by ClamWin via menu Preferences, Filters, Exclude Matching Filenames. Click the box, write in the filename and extension (like notepad.ext) or the entire directory listing (like C:\Windows\System32\notepad.exe), and click okay.

Regards,

i installed windows update 1709 or fall creators update for windows 10 64-bit on 2 pc's. the two files aren't detected on update 1709 anymore only windows.old [creator's update or update 1703]. so when a person has determined they no longer need windows.old [creator's update or update 1703] and get rid of it via disk cleanup is one way; then, clamwin will no long find the win.trojan.emotet with just the windows 10 fall creator's update installed.

just some fyi for everyone.

I had it detect two copies of user32.dll as the Fall Creators Update (1709) was being downloaded (FPs, of course, as usual). That's when I decided to uninstall it. Not the update; the AV.