You are here

ClamWin: False Positives

11 posts / 0 new
Last post
jrh
Offline
Last seen: 18 years 6 months ago
Joined: 2005-12-15 13:53
ClamWin: False Positives

EDIT: The ClamWin people have fixed it, so you can disregard this topic now Smile

This app looked like a good idea, however I receive many false positives while scanning.

For example:
F:/PortableClamWin/PortableClamWin.exe: Trojan.Clicker.VB-20 FOUND
F:/PortableFileZilla/PortableFileZilla.exe: Trojan.Clicker.VB-20 FOUND
F:/PortableThunderbird/PortableThunderbird.exe: Trojan.Clicker.VB-20 FOUND

I saw on the PCW page that there is a known issue for a false positive, but if this is a regular thing I'm not sure I can trust it. Still going to keep it around though.

John - I know there's nothing you can necessarily do about this, just wanted to bring it to someone's attention Smile

Thanks for the great work!

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 1 month ago
Joined: 2006-01-06 21:27
It's just UPX

And no, I dont think you can fix it.
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

Bruce Pascoe
Offline
Last seen: 12 years 10 months ago
Joined: 2006-01-15 16:14
...

What is it about UPX-compressed executables that makes virus scanners think they're malicious?

John T. Haller
John T. Haller's picture
Online
Last seen: 23 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Not UPX

It's just NSIS. It detected ALL of the launchers as trojans. See ClamWin Known Issues.

Sometimes, the impossible can become possible, if you're awesome!

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 1 month ago
Joined: 2006-01-06 21:27
BTW

What compression method do you use?
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

John T. Haller
John T. Haller's picture
Online
Last seen: 23 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
I don't

They are uncompressed.

Sometimes, the impossible can become possible, if you're awesome!

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 1 month ago
Joined: 2006-01-06 21:27
Really?

I use LZMA and use !packhdr with UPX.
----
R McCue

"If you're not part of the solution, you're part of the precipitate."

John T. Haller
John T. Haller's picture
Online
Last seen: 23 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Doesn't buy you anything

Compression on a 50k EXE doesn't really buy you anything.

Sometimes, the impossible can become possible, if you're awesome!

Bruce Pascoe
Offline
Last seen: 12 years 10 months ago
Joined: 2006-01-15 16:14
...

I know, but it doesn't seem to like UPX-compressed things either. Getting false positives with UPXed EXEs is also a known issue, after all.

John T. Haller
John T. Haller's picture
Online
Last seen: 23 min 21 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Report It

Those would be brand new false positives as of today. Please be sure to report them as false to the ClamAV folks.

http://clamav.catt.com/cgi-bin/sendvirus.cgi

Sometimes, the impossible can become possible, if you're awesome!

jrh
Offline
Last seen: 18 years 6 months ago
Joined: 2005-12-15 13:53
Will do. Thanks.

Will do. Thanks.

Topic locked