Hello again, On Thu, 28 Jan 2010 Jon Bendtsen wrote:
> I have since then made a installation of the software on a virtual windows > XP and then run ClamAV using SystemRescueCd-x86-1.3.4 with freshclam > being executed just before. > > clamscan -r -i --remove=no /mnt 2> /tmp/clam.err 1> clam.out > > It only found the same setup.exe file and Uninstall.exe file which setup.exe > creates. ClamAV probably detected Uninstall.exe inside setup.exe Excellent. You made a clean installation and you still trigger the virus scanner, so you can say with confidence it's a false positive. > > "Make sure that different virus scanning engines give positive results > > on any given file. ... > > ... i assumed that you were telling me that it was the same engine. I didn't mean that. I meant that you need to check, yourself. I don't know anything about Antiy-AVL, and very little about McAfee, but I doubt that McAfee uses ClamAV code or signatures. Of course it's possible, that's why you need to check. > > Look into the activities of the virus as reported by the anti- > > virus software suppliers and see if you can match what you're > > seeing with what they say." I meant above that the activities of many species of trojans, viruses and other malware have been investigated and published. For example Trojan-abc123xyz may be known to write a file called topless.nude in the WINDOWS directory. If an anti-virus product from Acme Corp. says it's found Trojan-abc123xyz, and you find a file called topless.nude in the WINDOWS directory, then you can be more confident that you have a problem even if no other anti-virus product finds it. > We scan our desktops using Norton. Upon releases we also use AVG & AVAST. > Neither of they have found anything, and most of virustotal.com did not > either. > > For some reason virustotal.com shows that 2 others also get a hit on > Uninstall.exe as a trojan. > Antiy-AVL 2.0.3.7 2010.01.27 Trojan/Win32.Shutdowner.gen > McAfee-GW-Edition 6.8.5 2010.01.27 > Heuristic.BehavesLike.Win32.Trojan.B You'll probably want to submit the false positives to them too. > > ... if you'd told us the name of the software packages that you're > > worried about I could have suggested a few searches. :) > > At the moment we are not worried, we truely believe this is a false positive. You're still not going to tell us the names? :) > I have submitted the Uninstall.exe file as a false positive to > http://clamav.net/sendvirus That should be all you need to do for the moment. > ... Asking the right question in the correct way apparently takes > considerably thought about what to include and what not to include. Yes, it does. Keep working on it. > I hope i got it better this time. The description of your tests on a virtual XP system was good enough to know what you really did, and that you probably do have a false positive. :) -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
