Re: [Clamav-users] Hacktool.PCGI false positive? What to do?
>Jonathan Kamens wrote: >> Greetings, >> >> Recently, ClamAV version 0.90.2 with main.cvd version 44 and daily.cvd >> version 4540 reported that an EXE on one of our servers was infected >> with Hacktool.PCGI. This EXE came from a pretty reputable source, and >> when I scanned the same file with Symantec AntiVirus, it claimed that >> the file was clean. So, what now? Is there any way I can provide >> information to the folks who maintain the ClamAV virus definitions to >> help them (a) determine whether ClamAV or SAV is correct, and (b) if the >> latter, fine-tune the ClamAV signature to prevent this false positive >> from recurring? Basically, what's the protocol for a suspected false >> positive? > >http://cgi.clamav.net/sendvirus.cgi > >Mark it as a false positive. Thanks, I didn't realize that interface could be used for false positives as well. However, we have a problem -- the file that's showing up as a false positive is one we got from one of our clients, and we're not allowed to redistribute it. Is there any way I can extract information from the file that will be helpful in analyzing the false positive and submit that to the virus database maintainers rather than submitting the file itself? jik ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Hacktool.PCGI false positive? What to do?
Jonathan Kamens wrote: > Greetings, > > Recently, ClamAV version 0.90.2 with main.cvd version 44 and daily.cvd > version 4540 reported that an EXE on one of our servers was infected > with Hacktool.PCGI. This EXE came from a pretty reputable source, and > when I scanned the same file with Symantec AntiVirus, it claimed that > the file was clean. So, what now? Is there any way I can provide > information to the folks who maintain the ClamAV virus definitions to > help them (a) determine whether ClamAV or SAV is correct, and (b) if the > latter, fine-tune the ClamAV signature to prevent this false positive > from recurring? Basically, what's the protocol for a suspected false > positive? > > Thanks, > > jik http://cgi.clamav.net/sendvirus.cgi Mark it as a false positive. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Hacktool.PCGI false positive? What to do?
Greetings, Recently, ClamAV version 0.90.2 with main.cvd version 44 and daily.cvd version 4540 reported that an EXE on one of our servers was infected with Hacktool.PCGI. This EXE came from a pretty reputable source, and when I scanned the same file with Symantec AntiVirus, it claimed that the file was clean. So, what now? Is there any way I can provide information to the folks who maintain the ClamAV virus definitions to help them (a) determine whether ClamAV or SAV is correct, and (b) if the latter, fine-tune the ClamAV signature to prevent this false positive from recurring? Basically, what's the protocol for a suspected false positive? Thanks, jik ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
