Your results locally could differ from VirusTotal a little even if you just had VirusTotal re-scan the file. I believe they are running ClamAV v0.99.2 and there are is some slight variation between that and the latest 0.99.3-beta2 but there isn’t much and it should be for the better. Of course, I’m not sure which version(s) of the clamav engine you’re running on your machines. It’s hard to say without looking closely at your installations for clamav, clamtk. It is a little concerning to me that you saw two different results - but yeah as Al suggested, please go ahead and submit those as false positives.
Micah Snyder Software Engineer Talos Cisco Systems, Inc. On Jan 13, 2018, at 8:25 AM, Paul B. <[email protected]<mailto:[email protected]>> wrote: I began doing so with the first hit, then at the bottom of the page I saw the notice to first update the sigs with freshclam. Freshclam runs on an hourly schedule here, so I saw little need to do so, but for completeness I did, and it showed no updating, and said the sigs were up to date. The machine had been off all night. So I retested each file individually using ClamTK. Now each one passed. So I'm getting different results even from local ClamAV alone. Perhaps when I tested I had a slightly different sig database here? Seems a very slim possibility. So I guess I'll hold off on reporting. What would be helpful to know is whether to prefer ClamAV results at VirusTotal or locally when there is a disparity between the two. Or in general, maybe I should wait till the next day and retest to see if positive hits are confirmed? Thanks, Paul On Sat, Jan 13, 2018 at 1:54 AM, Al Varnell <[email protected]<mailto:[email protected]>> wrote: On Fri, Jan 12, 2018 at 08:31 PM, Paul B. wrote: I just ran a scan on my root drive, and had 3 hits. I ran each of them by VirusTotal, and each VT had ClamAV reporting them as Clean. The output here was: /home/paul/.config/vivaldi/Default/Extensions/kbmfpngjjgdllneeigpgjifpgocmfgmb/5.10.1_0/foreground.entry.js.map: Html.Exploit.CVE_2017_8738-6336184-2 FOUND /home/paul/.wine/drive_c/users/Public/Application Data/The Word/Cache/twrestart.exe: PUA.Win.Packer.BorlandDelphiKo-3 FOUND /home/paul/.wine/drive_c/Program Files (x86)/The Word/Uninst.exe: PUA.Win.Trojan.Casino-141 FOUND Since you believe these to be False Positives, you should upload them to <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>> then return here with a hash value for each file. The first one is the reddit extension suite, RES, an extension to the vivaldi browser. The second and third pertain to a Windows Bible program I use on WINE on Linux. I would be very surprised if there is anything actually wrong with #2 or #3, and I doubt anything's wrong with #1. #2 did pull four hits on VirusTotal, out of 66 engines. But ClamAV at VT passed all three files. I could simply write an exclusion for these files, but I wonder why this disparity exists. Thanks, Paul -Al- -- Al Varnell ClamXAV user _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
