I began doing so with the first hit, then at the bottom of the page I saw the notice to first update the sigs with freshclam. Freshclam runs on an hourly schedule here, so I saw little need to do so, but for completeness I did, and it showed no updating, and said the sigs were up to date. The machine had been off all night.
So I retested each file individually using ClamTK. Now each one passed. So I'm getting different results even from local ClamAV alone. Perhaps when I tested I had a slightly different sig database here? Seems a very slim possibility. So I guess I'll hold off on reporting. What would be helpful to know is whether to prefer ClamAV results at VirusTotal or locally when there is a disparity between the two. Or in general, maybe I should wait till the next day and retest to see if positive hits are confirmed? Thanks, Paul On Sat, Jan 13, 2018 at 1:54 AM, Al Varnell <[email protected]> wrote: > On Fri, Jan 12, 2018 at 08:31 PM, Paul B. wrote: >> I just ran a scan on my root drive, and had 3 hits. I ran each of them >> by VirusTotal, and each VT had ClamAV reporting them as Clean. The >> output here was: >> >> /home/paul/.config/vivaldi/Default/Extensions/kbmfpngjjgdllneeigpgjifpgocmfgmb/5.10.1_0/foreground.entry.js.map: >> Html.Exploit.CVE_2017_8738-6336184-2 FOUND >> >> /home/paul/.wine/drive_c/users/Public/Application Data/The >> Word/Cache/twrestart.exe: PUA.Win.Packer.BorlandDelphiKo-3 FOUND >> >> /home/paul/.wine/drive_c/Program Files (x86)/The Word/Uninst.exe: >> PUA.Win.Trojan.Casino-141 FOUND > > Since you believe these to be False Positives, you should upload them to > <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>> then > return here with a hash value for each file. > >> The first one is the reddit extension suite, RES, an extension to the >> vivaldi browser. The second and third pertain to a Windows Bible >> program I use on WINE on Linux. I would be very surprised if there is >> anything actually wrong with #2 or #3, and I doubt anything's wrong >> with #1. #2 did pull four hits on VirusTotal, out of 66 engines. But >> ClamAV at VT passed all three files. >> >> I could simply write an exclusion for these files, but I wonder why >> this disparity exists. >> >> Thanks, >> Paul > > -Al- > -- > Al Varnell > ClamXAV user > > > > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
