"Houston, we have a problem" aka The FP reporting system is broken.
Here's a windows file which is repoting... ieinstal.exe: Win.Trojan.Win64-226 FOUND I ran freshclam... freshclam ClamAV update process started at Tue Feb 16 09:00:52 2016 main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 21375, sigs: 1844208, f-level: 63, builder: ne o) bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: anvill I found the hash... sigtool --md5 ieinstal.exe 4ba4770d890b320dab575b07c7daf59d:481280:ieinstal.exe I checked with VirusTotal... "Probably harmless! There are strong indicators suggesting that this file is safe to use. " Source: https://www.virustotal.com/en/file/9a857951b9c3c38b63403c28b7c3a23749c7cef2c3876d203ae8abca45496e8f/analysis/ Ok, so let's report the file as a FP... http://www.clamav.net/reports/fp Try 1 (using firefox) - Uploaded ieinstal.exe Returns: The sample is empty. This file is not detected by ClamAV Try 2 (using firefox) - Uploaded Zipped version (password: virus) The sample is empty. Please encrypt your ZIP files with password virus ClamWin users were getting hit over the weekend with a FP they just couldn't report... now I can see why. As a side note... if a ClamWin user reports a false positive like this.. C:\Windows\SysWOW64\msdt.exe: [Win.Trojan.Win64-149] FALSE POSITIVE FOUND What is means is that ClamWin has checked the certificate of the exe file and found it to belong to Microsoft. It will then tell you that a FALSE POSITIVE has been FOUND and that the ClamAV sig hitting it called Win.Trojan.Win64-149. In theory this is a nice feature... however, there's a bug... if ClamAV aleady has Win.Trojan.Win64-149 in it's .fp database (ie. it's whitelisted) ClamWin still reports the FALSE POSITIVE FOUND message, even though it's been fixed. Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
