[clamav-users] FP System

[Steve Basford]

"Houston, we have a problem" aka The FP reporting system is broken.

Here's a windows file which is repoting...

ieinstal.exe: Win.Trojan.Win64-226 FOUND

I ran freshclam...

freshclam

ClamAV update process started at Tue Feb 16 09:00:52 2016
main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder:
neo)
daily.cld is up to date (version: 21375, sigs: 1844208, f-level: 63,
builder: ne
o)
bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder:
anvill

I found the hash...

sigtool --md5 ieinstal.exe
4ba4770d890b320dab575b07c7daf59d:481280:ieinstal.exe

I checked with VirusTotal...

"Probably harmless! There are strong indicators suggesting that this file
is safe to use. "
Source:
https://www.virustotal.com/en/file/9a857951b9c3c38b63403c28b7c3a23749c7cef2c3876d203ae8abca45496e8f/analysis/

Ok, so let's report the file as a FP...

http://www.clamav.net/reports/fp


Try 1 (using firefox) - Uploaded ieinstal.exe

Returns:

The sample is empty.
This file is not detected by ClamAV

Try 2 (using firefox) - Uploaded Zipped version (password: virus)

The sample is empty.
Please encrypt your ZIP files with password virus

ClamWin users were getting hit over the weekend with a FP they just
couldn't report... now I can see why.


As a side note... if a ClamWin user reports a false positive like this..

C:\Windows\SysWOW64\msdt.exe: [Win.Trojan.Win64-149] FALSE POSITIVE FOUND

What is means is that ClamWin has checked the certificate of the exe file
and found it to belong to Microsoft.  It will then tell you that a FALSE
POSITIVE has been FOUND and that the ClamAV sig hitting it called
Win.Trojan.Win64-149.

In theory this is a nice feature... however, there's a bug... if ClamAV
aleady has Win.Trojan.Win64-149 in it's .fp database (ie. it's
whitelisted) ClamWin still reports the FALSE POSITIVE FOUND message, even
though it's been fixed.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity