[clamav-users] ClamAv local results differ from ClamAV at VirusTotal.com

Micah Snyder (micasnyd) micasnyd at cisco.com
Sun Jan 14 17:21:08 UTC 2018


Your results locally could differ from VirusTotal a little even if you just had VirusTotal re-scan the file.  I believe they are running ClamAV v0.99.2 and there are is some slight variation between that and the latest 0.99.3-beta2 but there isn’t much and it should be for the better.  Of course, I’m not sure which version(s) of the clamav engine you’re running on your machines.  It’s hard to say without looking closely at your installations for clamav, clamtk.  It is a little concerning to me that you saw two different results - but yeah as Al suggested, please go ahead and submit those as false positives.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 13, 2018, at 8:25 AM, Paul B. <pbpublic at gmail.com<mailto:pbpublic at gmail.com>> wrote:

I began doing so with the first hit, then at the bottom of the page I
saw the notice to first update the sigs with freshclam. Freshclam runs
on an hourly schedule here, so I saw little need to do so, but for
completeness I did, and it showed no updating, and said the sigs were
up to date. The machine had been off all night.

So I retested each file individually using ClamTK. Now each one
passed. So I'm getting different results even from local ClamAV alone.
Perhaps when I tested I had a slightly different sig database here?
Seems a very slim possibility.

So I guess I'll hold off on reporting. What would be helpful to know
is whether to prefer ClamAV results at VirusTotal or locally when
there is a disparity between the two. Or in general, maybe I should
wait till the next day and retest to see if positive hits are
confirmed?

Thanks,
Paul

On Sat, Jan 13, 2018 at 1:54 AM, Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:
On Fri, Jan 12, 2018 at 08:31 PM, Paul B. wrote:
I just ran a scan on my root drive, and had 3 hits. I ran each of them
by VirusTotal, and each VT had ClamAV reporting them as Clean. The
output here was:

/home/paul/.config/vivaldi/Default/Extensions/kbmfpngjjgdllneeigpgjifpgocmfgmb/5.10.1_0/foreground.entry.js.map:
Html.Exploit.CVE_2017_8738-6336184-2 FOUND

/home/paul/.wine/drive_c/users/Public/Application Data/The
Word/Cache/twrestart.exe: PUA.Win.Packer.BorlandDelphiKo-3 FOUND

/home/paul/.wine/drive_c/Program Files (x86)/The Word/Uninst.exe:
PUA.Win.Trojan.Casino-141 FOUND

Since you believe these to be False Positives, you should upload them to <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>> then return here with a hash value for each file.

The first one is the reddit extension suite, RES, an extension to the
vivaldi browser. The second and third pertain to a Windows Bible
program I use on WINE on Linux. I would be very surprised if there is
anything actually wrong with #2 or #3, and I doubt anything's wrong
with #1. #2 did pull four hits on VirusTotal, out of 66 engines. But
ClamAV at VT passed all three files.

I could simply write an exclusion for these files, but I wonder why
this disparity exists.

Thanks,
Paul

-Al-
--
Al Varnell
ClamXAV user




_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list