Hi there, Please try to be more informative in your questions. You have omitted important information from your posts, and you continue to do so. It makes me suspicious.
Many new malware signatures are being added to anti-virus databases world-wide every day, and occasionally one of these signatures will unintentionally match something else - perhaps another piece of software, or a document, or even just a collection of random data - which is unrelated to the malware. When that happens, we have what's known as a false positive. Throughout the world there are many millions of systems which contain many thousands of files which are identical on each system. Various Windows systems for example have many identical binaries. It's easy (relatively easy) to check that new malware signatures don't trigger on most Windows boxes by running them past a few test machines in the laboratory. Unfortunately, for obvious reasons, there's no way that all the software and documents in the world can be used to check for false positives from each new signature in the test lab. One has to rely on probabilities and feedback. In the case of ClamAV, there are feedback mechanisms documented on the Website. On Sat, 23 Jan 2010 Jon Bendtsen wrote: > G.W. Haywood wrote: > > my guess is that you don't really > > know if the files have been changed in the past year or not anyway. > > I know, because i scan on the backup server. The backup server uses rsync > to move the files over, and any changes in existing files will be noticed. Are you sure about that? By default, rsync checks only the file size and the last modified time. You need to force it to run checksums on the files to be sure that actual data changes will be noticed, and of course this takes very much longer than just the quick timestamp and size checks. So most of the time people don't do it, because one of the main reasons they use rsync is for its speed when compared with repeatedly copying hundreds of directory trees file-by-file. > > > How do i KNOW FOR SURE, if it is a real positive or just a false > > > positive? > ... > The software in question is something we programmed ... I'm struggling to make sense of this. The normal process of software development requires that an archive is kept of all software releases so that, at a bare minimum, faults can be tracked and fixed. It must be obvious to any competent programmer how to keep archives of his work which cannot be changed without his knowledge. For example, he can archive digitally signed or encrypted backup copies, write copies to a write-once-only medium such as CD-ROM, or write to a floppy disc, break out the write-protect tab, and put the disc in a safe. At the very least, he can store the md5sums of the files on a piece of paper and keep it in his wallet. Have you done nothing like that? It should also be obvious how to make sure that something you have written doesn't contain anything malicious. I'd go further, and say that it's irresponsible to release software if you are not capable of doing that. Is there something else that you haven't told us? -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
