clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [clamav-users] False positives

[clamav-users] False positives

From: Tagore Smith <tagoresmith_at_nospam>
Date: Wed Jan 15 2014 - 16:59:01 GMT

I'm a software developer at Anzovin Studio. We've recently received a
rather irate report from one of our users that the ClamAV is flagging one
of our installers as being infected with Win.Trojan.378656. We've checked
our other installers with ClamAV and a number of them are also being
flagged. I think it is unlikely that they are actually infected with a
Trojan, but I would like to rule out the possibility of course. If it is,
as I suspect, a false positive it would be nice to have it no longer
reported as malicious.

I see that there is a form on the ClamAV site for submitting false
positives. Should I submit each of the installers in question? What is the
process for handling false positives?

Also, is there some reasonably straightforward way to find out what in
particular about these installers is causing them to be flagged? As I said
I think it is pretty unlikely that they are infected with any malware, but
I would like to be able to rule out the possibility.

The software in question was written before I came to the studio, and uses
an installer program we no longer use except for older products, and that I
am not familiar with. It is called Astrum InstallWizard. I suspect that
there is something about the installer that's causing this.

Tagore Smith
Help us build a comprehensive ClamAV guide: