[clamav-users] ClamAv local results differ from ClamAV at VirusTotal.com

Paul B. pbpublic at gmail.com
Sat Jan 13 13:25:18 UTC 2018


I began doing so with the first hit, then at the bottom of the page I
saw the notice to first update the sigs with freshclam. Freshclam runs
on an hourly schedule here, so I saw little need to do so, but for
completeness I did, and it showed no updating, and said the sigs were
up to date. The machine had been off all night.

So I retested each file individually using ClamTK. Now each one
passed. So I'm getting different results even from local ClamAV alone.
Perhaps when I tested I had a slightly different sig database here?
Seems a very slim possibility.

So I guess I'll hold off on reporting. What would be helpful to know
is whether to prefer ClamAV results at VirusTotal or locally when
there is a disparity between the two. Or in general, maybe I should
wait till the next day and retest to see if positive hits are
confirmed?

Thanks,
Paul

On Sat, Jan 13, 2018 at 1:54 AM, Al Varnell <alvarnell at mac.com> wrote:
> On Fri, Jan 12, 2018 at 08:31 PM, Paul B. wrote:
>> I just ran a scan on my root drive, and had 3 hits. I ran each of them
>> by VirusTotal, and each VT had ClamAV reporting them as Clean. The
>> output here was:
>>
>> /home/paul/.config/vivaldi/Default/Extensions/kbmfpngjjgdllneeigpgjifpgocmfgmb/5.10.1_0/foreground.entry.js.map:
>> Html.Exploit.CVE_2017_8738-6336184-2 FOUND
>>
>> /home/paul/.wine/drive_c/users/Public/Application Data/The
>> Word/Cache/twrestart.exe: PUA.Win.Packer.BorlandDelphiKo-3 FOUND
>>
>> /home/paul/.wine/drive_c/Program Files (x86)/The Word/Uninst.exe:
>> PUA.Win.Trojan.Casino-141 FOUND
>
> Since you believe these to be False Positives, you should upload them to <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>> then return here with a hash value for each file.
>
>> The first one is the reddit extension suite, RES, an extension to the
>> vivaldi browser. The second and third pertain to a Windows Bible
>> program I use on WINE on Linux. I would be very surprised if there is
>> anything actually wrong with #2 or #3, and I doubt anything's wrong
>> with #1. #2 did pull four hits on VirusTotal, out of 66 engines. But
>> ClamAV at VT passed all three files.
>>
>> I could simply write an exclusion for these files, but I wonder why
>> this disparity exists.
>>
>> Thanks,
>> Paul
>
> -Al-
> --
> Al Varnell
> ClamXAV user
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list