That's strange I am unable to locate "Trojan.Rootkit-3041" in the current
clamav db or on VirusTotal.  When I Google that name the only thing I find
is your message.  Do you have the VirusTotal ID?


-Al-
 
-- 
Al Varnell
Mountain View, CA

On 9/4/11 6:57 PM, "Jason Haar" <[email protected]> wrote:

> Hi there
> 
> We picked up an infected machine, and ran ClamAV over it. ClamAV picked
> up iastor.sys  as Trojan.Rootkit-3041
> 
> However according to virustotal.com, only ClamAV claims this is infected
> - so I'm wary of it.
> 
> However... the machine it was got from WAS infected with other viruses,
> and windows\system32 contains THREE copies of iastor.sys: "iastor.sys",
> "iaStor.sys" and "IaStor.sys" - which have two different sizes (but both
> were detected as Trojan.Rootkit-3041 by ClamAV and nothing else)
> 
> So, that smells really suspicious to me - but I'm surprised no other AV
> picks it. It isn't impossible ClamAV is ahead of everyone else on this
> particular virus, so I thought I'd check here
> 
> Update: a week has past since I saved this email to my Drafts - as I
> initially decided to report it as a FP via the clamav.net website
> instead. Anyway, a week has past and clamav just declared a different
> box as being infected - this time iastor.sys is Trojan.Rootkit-3054.
> Again, nothing else picks it as a virus on virustotal.com, AND clamav
> says copies of this file under "WINDOWS/dell/iastor/iastor.sys" and
> "Drivers/DELL/SATA_RAID/driver_only/iastor.sys" are also infected -
> which I find very hard to believe a virus would bother looking for.
> 
> Has anyone else been seeing FPs with iastor.sys?


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to