[clamav-users] Expiro virus found in Windows but not when using Linux
demonduck
demonduck at sourcefire.com
Thu Dec 19 14:56:54 UTC 2019
Hi Chris,
The signature "Win.Virus.Expiro-7396684-0" was dropped from daily.cvd
12/14/2019 after FPs were found in the wild. You may be using two different
versions of the official clamav virus signatures between the two systems,
resulting in different alerts.
Thanks,
demonduck
On Thu, Dec 19, 2019 at 9:36 AM Chris Showers via clamav-users <
clamav-users at lists.clamav.net> wrote:
> Hello,
>
> A scan of a PC I was given to disinfect reports the following when using
> clamav 0.102.1 portable in Windows:
>
> [code]
> PS C:\Users\UserName\Desktop\clamav-0.102.1-win-x64-portable>
> .\clamscan.exe --remove C:\Windows\System32\msiexec.exe
>
> C:\Windows\System32\msiexec.exe: Win.Virus.Expiro-7396684-0 FOUND
> ERROR: Can't remove file 'C:\Windows\System32\msiexec.exe'.
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6587211
> Engine version: 0.102.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Not removed: 1
> Data scanned: 0.06 MB
> Data read: 0.06 MB (ratio 1.00:1)
> Time: 9.615 sec (0 m 9 s)
> [/code]
>
> Seeing as Windows reported "can't remove", I figured the file was in
> memory or some such thing and that running the scan with the drive mounted
> using a live Linux disc would certainly work. However, Linux reports that
> there is no virus in the file:
>
> [code]
> root at ubuntu:/media# clamscan sda4/Windows/System32/msiexec.exe
> sda4/Windows/System32/msiexec.exe: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6616229
> Engine version: 0.102.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.06 MB
> Data read: 0.06 MB (ratio 1.00:1)
> Time: 7.705 sec (0 m 7 s)
> [/code]
>
> Looking at that file in Windows and mounted in Linux, they are the same
> size and hash to the same value. How can this be?
>
> Thanks for any help you can provide!
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191219/8895bddb/attachment.htm>
More information about the clamav-users
mailing list