You are here

[false alarm] Clamwin portable 0.93 suspected as virus

8 posts / 0 new
Last post
zooz
Offline
Last seen: 13 years 2 months ago
Joined: 2008-01-17 05:40
[false alarm] Clamwin portable 0.93 suspected as virus

I have a weird thing with the file ClamWin_Portable_0.93.paf.exe.

Every time I execute it my real time antivirus (ca's etrust 7.1) yells at me that there is a virus at:

c:\documents and settings\[myusename]\local settings\temp\ns[changing number sequence]\system.dll

When I scan (with ca etrust antivirus) the clamwin_portable_0.93.paf.exe file it doesn't detect anything.

I searched the net and there is at least one virus that is known to create this system.dll at the above path and I would have thought that it's not clamwin's fault but that the virus is detecting that I run clamwin so it does something to protect itself BUT when I tried downloading and running the same clamwin file on a different computer running the same antivirus it happened again(real time scanner reports a virus, bla bla bla).

While it is possible that both computers are infected I can hardly believe it. the other computer is turned off most of the time and is connected to the internet via a proxy only.

Could it be a false positive? should clamwin portable setup create some system.dll files in my temp dir? I did see them getting created every time I run clamwinportablesetup.

I'm scanning my windows hard drive right now from my dual booted ubuntu and still nothing was found but I'd love to hear anything that can shed some light on this phenomena.


EDIT:
Another false alarm. the problem was with ca's antivirus for the enterprise vet engine virus definitions 5724 false positiving the installer. with 5725 it seems ok.

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 2 months ago
Developer
Joined: 2006-12-06 18:07
I'm fairly sure it's a false

I'm fairly sure it's a false positive. I believe the created system.dll is used by the installer for the portable app.

The developer formerly known as ZGitRDun8705

Simeon
Simeon's picture
Offline
Last seen: 9 years 5 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
Yes

I'm fairly sure its either the installer or the launcher that uses NSIS´s system plugin.

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

zooz
Offline
Last seen: 13 years 2 months ago
Joined: 2008-01-17 05:40
Know or believe?

Know or believe?

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 2 months ago
Developer
Joined: 2006-12-06 18:07
believe. The only way to

believe. The only way to know if that file is truly infected would be to upload that file to one of the online multi-client scanners like Virus Total.

None of the applications here are known to contain any viruses, and have been tested by many people. There have been numerous reports of false positives in the past, mostly from persons using AVG as their antivirus client, but we've had reports from other users as well. All of the past reports have been proven to be false positives.

Also, I would find it a bit ironic that something with our antivirus program is being detected as a virus.

The developer formerly known as ZGitRDun8705

zooz
Offline
Last seen: 13 years 2 months ago
Joined: 2008-01-17 05:40
could someone please

could someone please (assuming he is not infected as my pc's) run the installer and before clicking any "next"s check if the system.dll file is created on the specified path?

ZachHudock
ZachHudock's picture
Offline
Last seen: 1 year 2 months ago
Developer
Joined: 2006-12-06 18:07
Confirmed that this file is

Confirmed that this file is created. It is a plugin used by the installer. Do any of the other applications from this site cause an issue?

The developer formerly known as ZGitRDun8705

zooz
Offline
Last seen: 13 years 2 months ago
Joined: 2008-01-17 05:40
thanks. I just refreshed

thanks. I just refreshed before posting an answer to your question: yes. I just tried winscp and it's the same response. I guess it's ca's false positive.

Log in or register to post comments