You are here

Home » Forums » Support Forums » Security Apps Support

ClamWin: False Positives

11 posts / 0 new
Topic locked
Last post
April 21, 2006 - 8:05pm
#1
jrh
Offline
Last seen: 17 years 11 months ago
Joined: 2005-12-15 13:53
ClamWin: False Positives

EDIT: The ClamWin people have fixed it, so you can disregard this topic now Smile

This app looked like a good idea, however I receive many false positives while scanning.

For example:
F:/PortableClamWin/PortableClamWin.exe: Trojan.Clicker.VB-20 FOUND
F:/PortableFileZilla/PortableFileZilla.exe: Trojan.Clicker.VB-20 FOUND
F:/PortableThunderbird/PortableThunderbird.exe: Trojan.Clicker.VB-20 FOUND

I saw on the PCW page that there is a known issue for a false positive, but if this is a regular thing I'm not sure I can trust it. Still going to keep it around though.

John - I know there's nothing you can necessarily do about this, just wanted to bring it to someone's attention Smile

Thanks for the great work!

Top
April 21, 2006 - 8:13pm
Ryan McCue
Ryan McCue's picture
Offline
Last seen: 14 years 6 months ago
Joined: 2006-01-06 21:27
It's just UPX

And no, I dont think you can fix it.
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

Top
April 22, 2006 - 4:49pm
(Reply to #2)
Bruce Pascoe
Offline
Last seen: 12 years 3 months ago
Joined: 2006-01-15 16:14
...

What is it about UPX-compressed executables that makes virus scanners think they're malicious?

Top
April 22, 2006 - 5:45pm
(Reply to #3)
John T. Haller
John T. Haller's picture
Online
Last seen: 7 min 18 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Not UPX

It's just NSIS. It detected ALL of the launchers as trojans. See ClamWin Known Issues.

Sometimes, the impossible can become possible, if you're awesome!

Top
April 22, 2006 - 5:56pm
(Reply to #4)
Ryan McCue
Ryan McCue's picture
Offline
Last seen: 14 years 6 months ago
Joined: 2006-01-06 21:27
BTW

What compression method do you use?
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

Top
April 22, 2006 - 8:52pm
(Reply to #5)
John T. Haller
John T. Haller's picture
Online
Last seen: 7 min 18 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
I don't

They are uncompressed.

Sometimes, the impossible can become possible, if you're awesome!

Top
April 23, 2006 - 5:50am
(Reply to #6)
Ryan McCue
Ryan McCue's picture
Offline
Last seen: 14 years 6 months ago
Joined: 2006-01-06 21:27
Really?

I use LZMA and use !packhdr with UPX.
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

Top
April 23, 2006 - 11:49am
(Reply to #7)
John T. Haller
John T. Haller's picture
Online
Last seen: 7 min 18 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Doesn't buy you anything

Compression on a 50k EXE doesn't really buy you anything.

Sometimes, the impossible can become possible, if you're awesome!

Top
April 22, 2006 - 7:16pm
(Reply to #8)
Bruce Pascoe
Offline
Last seen: 12 years 3 months ago
Joined: 2006-01-15 16:14
...

I know, but it doesn't seem to like UPX-compressed things either. Getting false positives with UPXed EXEs is also a known issue, after all.

Top
April 22, 2006 - 12:29am
John T. Haller
John T. Haller's picture
Online
Last seen: 7 min 18 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Report It

Those would be brand new false positives as of today. Please be sure to report them as false to the ClamAV folks.

http://clamav.catt.com/cgi-bin/sendvirus.cgi

Sometimes, the impossible can become possible, if you're awesome!

Top
April 22, 2006 - 1:04pm
(Reply to #10)
jrh
Offline
Last seen: 17 years 11 months ago
Joined: 2005-12-15 13:53
Will do. Thanks.

Will do. Thanks.

Top
Topic locked