That's strange I am unable to locate "Trojan.Rootkit-3041" in the current clamav db or on VirusTotal. When I Google that name the only thing I find is your message. Do you have the VirusTotal ID?
-Al- -- Al Varnell Mountain View, CA On 9/4/11 6:57 PM, "Jason Haar" <[email protected]> wrote: > Hi there > > We picked up an infected machine, and ran ClamAV over it. ClamAV picked > up iastor.sys as Trojan.Rootkit-3041 > > However according to virustotal.com, only ClamAV claims this is infected > - so I'm wary of it. > > However... the machine it was got from WAS infected with other viruses, > and windows\system32 contains THREE copies of iastor.sys: "iastor.sys", > "iaStor.sys" and "IaStor.sys" - which have two different sizes (but both > were detected as Trojan.Rootkit-3041 by ClamAV and nothing else) > > So, that smells really suspicious to me - but I'm surprised no other AV > picks it. It isn't impossible ClamAV is ahead of everyone else on this > particular virus, so I thought I'd check here > > Update: a week has past since I saved this email to my Drafts - as I > initially decided to report it as a FP via the clamav.net website > instead. Anyway, a week has past and clamav just declared a different > box as being infected - this time iastor.sys is Trojan.Rootkit-3054. > Again, nothing else picks it as a virus on virustotal.com, AND clamav > says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and > "Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected - > which I find very hard to believe a virus would bother looking for. > > Has anyone else been seeing FPs with iastor.sys? _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
