clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] False positives

Re: [clamav-users] False positives

From: Alain Zidouemba <azidouemba_at_nospam>
Date: Wed Jan 15 2014 - 19:25:59 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>

Tagore,

Thanks for your FP report. The process for submitting suspected false
positives is to go through the webpage
http://www.clamav.net/lang/en/sendvirus/submit-fp/ . We monitor submission
that come in through that feed and address them as soon as possible. For a
high priority FP, please email this list with the MD5/SHA256 of the
sample(s) you submitted.

In this particular case, the signature name you provided was enough
information to confirm the FP. The signature has been removed and this
should be reflected in a DB update later today.

Thanks,

- Alain

On Wed, Jan 15, 2014 at 11:59 AM, Tagore Smith <tagoresmith@gmail.com>wrote:

> I'm a software developer at Anzovin Studio. We've recently received a
> rather irate report from one of our users that the ClamAV is flagging one
> of our installers as being infected with Win.Trojan.378656. We've checked
> our other installers with ClamAV and a number of them are also being
> flagged. I think it is unlikely that they are actually infected with a
> Trojan, but I would like to rule out the possibility of course. If it is,
> as I suspect, a false positive it would be nice to have it no longer
> reported as malicious.
>
> I see that there is a form on the ClamAV site for submitting false
> positives. Should I submit each of the installers in question? What is the
> process for handling false positives?
>
> Also, is there some reasonably straightforward way to find out what in
> particular about these installers is causing them to be flagged? As I said
> I think it is pretty unlikely that they are infected with any malware, but
> I would like to be able to rule out the possibility.
>
> The software in question was written before I came to the studio, and uses
> an installer program we no longer use except for older products, and that I
> am not familiar with. It is called Astrum InstallWizard. I suspect that
> there is something about the installer that's causing this.
>
> Thanks
> Tagore Smith
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml