[clamav-users] ClamAv local results differ from ClamAV at VirusTotal.com

Paul B. pbpublic at gmail.com
Sun Jan 14 17:51:36 UTC 2018


Micah,
Thanks for the explanation. As I thought about this, I realized that
if I go to the trouble of a VirusTotal scan, I ought to switch to the
big picture and take all the engines there into account. On truly
dubious items I probably will just take the local ClamAV's report on
face value and nuke the offender, unless I'm curious enough to consult
VT.

BW,
Paul

On 1/14/18, Micah Snyder (micasnyd) <micasnyd at cisco.com> wrote:
> Your results locally could differ from VirusTotal a little even if you just
> had VirusTotal re-scan the file.  I believe they are running ClamAV v0.99.2
> and there are is some slight variation between that and the latest
> 0.99.3-beta2 but there isn’t much and it should be for the better.  Of
> course, I’m not sure which version(s) of the clamav engine you’re running on
> your machines.  It’s hard to say without looking closely at your
> installations for clamav, clamtk.  It is a little concerning to me that you
> saw two different results - but yeah as Al suggested, please go ahead and
> submit those as false positives.
>
>
> Micah Snyder
> Software Engineer
> Talos
> Cisco Systems, Inc.
>
>
>
> On Jan 13, 2018, at 8:25 AM, Paul B.
> <pbpublic at gmail.com<mailto:pbpublic at gmail.com>> wrote:
>
> I began doing so with the first hit, then at the bottom of the page I
> saw the notice to first update the sigs with freshclam. Freshclam runs
> on an hourly schedule here, so I saw little need to do so, but for
> completeness I did, and it showed no updating, and said the sigs were
> up to date. The machine had been off all night.
>
> So I retested each file individually using ClamTK. Now each one
> passed. So I'm getting different results even from local ClamAV alone.
> Perhaps when I tested I had a slightly different sig database here?
> Seems a very slim possibility.
>
> So I guess I'll hold off on reporting. What would be helpful to know
> is whether to prefer ClamAV results at VirusTotal or locally when
> there is a disparity between the two. Or in general, maybe I should
> wait till the next day and retest to see if positive hits are
> confirmed?
>
> Thanks,
> Paul
>
> On Sat, Jan 13, 2018 at 1:54 AM, Al Varnell
> <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:
> On Fri, Jan 12, 2018 at 08:31 PM, Paul B. wrote:
> I just ran a scan on my root drive, and had 3 hits. I ran each of them
> by VirusTotal, and each VT had ClamAV reporting them as Clean. The
> output here was:
>
> /home/paul/.config/vivaldi/Default/Extensions/kbmfpngjjgdllneeigpgjifpgocmfgmb/5.10.1_0/foreground.entry.js.map:
> Html.Exploit.CVE_2017_8738-6336184-2 FOUND
>
> /home/paul/.wine/drive_c/users/Public/Application Data/The
> Word/Cache/twrestart.exe: PUA.Win.Packer.BorlandDelphiKo-3 FOUND
>
> /home/paul/.wine/drive_c/Program Files (x86)/The Word/Uninst.exe:
> PUA.Win.Trojan.Casino-141 FOUND
>
> Since you believe these to be False Positives, you should upload them to
> <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>> then
> return here with a hash value for each file.
>
> The first one is the reddit extension suite, RES, an extension to the
> vivaldi browser. The second and third pertain to a Windows Bible
> program I use on WINE on Linux. I would be very surprised if there is
> anything actually wrong with #2 or #3, and I doubt anything's wrong
> with #1. #2 did pull four hits on VirusTotal, out of 66 engines. But
> ClamAV at VT passed all three files.
>
> I could simply write an exclusion for these files, but I wonder why
> this disparity exists.
>
> Thanks,
> Paul
>
> -Al-
> --
> Al Varnell
> ClamXAV user
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
Looking for a quality/value laptop <http://j.mp/MyBonanza>?



More information about the clamav-users mailing list