On 28/01/2010, at 12.55, G.W. Haywood wrote:
> Hello again,
>
> On Thu, 28 Jan 2010 Jon Bendtsen wrote:
>
>> I have since then made a installation of the software on a virtual windows
>> XP and then run ClamAV using SystemRescueCd-x86-1.3.4 with freshclam
>> being executed just before.
>>
>> clamscan -r -i --remove=no /mnt 2> /tmp/clam.err 1> clam.out
>>
>> It only found the same setup.exe file and Uninstall.exe file which setup.exe
>> creates. ClamAV probably detected Uninstall.exe inside setup.exe
>
> Excellent. You made a clean installation and you still trigger the
> virus scanner, so you can say with confidence it's a false positive.
>
>>> "Make sure that different virus scanning engines give positive results
>>> on any given file. ...
>>
>> ... i assumed that you were telling me that it was the same engine.
>
> I didn't mean that. I meant that you need to check, yourself. I
> don't know anything about Antiy-AVL, and very little about McAfee, but
> I doubt that McAfee uses ClamAV code or signatures. Of course it's
> possible, that's why you need to check.
i will contact them later.
>>> Look into the activities of the virus as reported by the anti-
>>> virus software suppliers and see if you can match what you're
>>> seeing with what they say."
>
> I meant above that the activities of many species of trojans, viruses
> and other malware have been investigated and published. For example
> Trojan-abc123xyz may be known to write a file called topless.nude in
> the WINDOWS directory. If an anti-virus product from Acme Corp. says
> it's found Trojan-abc123xyz, and you find a file called topless.nude
> in the WINDOWS directory, then you can be more confident that you have
> a problem even if no other anti-virus product finds it
Well, i have been searching on ClamAV's homepage for
Trojan.Agent-136369
But it does not find anything. I had hoped to read on ClamAV's homepage what
the trojan that ClamAV calls "Trojan.Agent-136369" does.
>> We scan our desktops using Norton. Upon releases we also use AVG & AVAST.
>> Neither of they have found anything, and most of virustotal.com did not
>> either.
>>
>> For some reason virustotal.com shows that 2 others also get a hit on
>> Uninstall.exe as a trojan.
>> Antiy-AVL 2.0.3.7 2010.01.27 Trojan/Win32.Shutdowner.gen
>> McAfee-GW-Edition 6.8.5 2010.01.27
>> Heuristic.BehavesLike.Win32.Trojan.B
>
> You'll probably want to submit the false positives to them too.
i will get to that eventually once i have learned from asking here.
>>> ... if you'd told us the name of the software packages that you're
>>> worried about I could have suggested a few searches. :)
>>
>> At the moment we are not worried, we truely believe this is a false positive.
>
> You're still not going to tell us the names? :)
no, because google never forgets. No need to link the product name with
a trojan.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
