Micah, Thanks for the explanation. As I thought about this, I realized that if I go to the trouble of a VirusTotal scan, I ought to switch to the big picture and take all the engines there into account. On truly dubious items I probably will just take the local ClamAV's report on face value and nuke the offender, unless I'm curious enough to consult VT.
BW, Paul On 1/14/18, Micah Snyder (micasnyd) <[email protected]> wrote: > Your results locally could differ from VirusTotal a little even if you just > had VirusTotal re-scan the file. I believe they are running ClamAV v0.99.2 > and there are is some slight variation between that and the latest > 0.99.3-beta2 but there isn’t much and it should be for the better. Of > course, I’m not sure which version(s) of the clamav engine you’re running on > your machines. It’s hard to say without looking closely at your > installations for clamav, clamtk. It is a little concerning to me that you > saw two different results - but yeah as Al suggested, please go ahead and > submit those as false positives. > > > Micah Snyder > Software Engineer > Talos > Cisco Systems, Inc. > > > > On Jan 13, 2018, at 8:25 AM, Paul B. > <[email protected]<mailto:[email protected]>> wrote: > > I began doing so with the first hit, then at the bottom of the page I > saw the notice to first update the sigs with freshclam. Freshclam runs > on an hourly schedule here, so I saw little need to do so, but for > completeness I did, and it showed no updating, and said the sigs were > up to date. The machine had been off all night. > > So I retested each file individually using ClamTK. Now each one > passed. So I'm getting different results even from local ClamAV alone. > Perhaps when I tested I had a slightly different sig database here? > Seems a very slim possibility. > > So I guess I'll hold off on reporting. What would be helpful to know > is whether to prefer ClamAV results at VirusTotal or locally when > there is a disparity between the two. Or in general, maybe I should > wait till the next day and retest to see if positive hits are > confirmed? > > Thanks, > Paul > > On Sat, Jan 13, 2018 at 1:54 AM, Al Varnell > <[email protected]<mailto:[email protected]>> wrote: > On Fri, Jan 12, 2018 at 08:31 PM, Paul B. wrote: > I just ran a scan on my root drive, and had 3 hits. I ran each of them > by VirusTotal, and each VT had ClamAV reporting them as Clean. The > output here was: > > /home/paul/.config/vivaldi/Default/Extensions/kbmfpngjjgdllneeigpgjifpgocmfgmb/5.10.1_0/foreground.entry.js.map: > Html.Exploit.CVE_2017_8738-6336184-2 FOUND > > /home/paul/.wine/drive_c/users/Public/Application Data/The > Word/Cache/twrestart.exe: PUA.Win.Packer.BorlandDelphiKo-3 FOUND > > /home/paul/.wine/drive_c/Program Files (x86)/The Word/Uninst.exe: > PUA.Win.Trojan.Casino-141 FOUND > > Since you believe these to be False Positives, you should upload them to > <http://www.clamav.net/reports/fp <http://www.clamav.net/reports/fp>> then > return here with a hash value for each file. > > The first one is the reddit extension suite, RES, an extension to the > vivaldi browser. The second and third pertain to a Windows Bible > program I use on WINE on Linux. I would be very surprised if there is > anything actually wrong with #2 or #3, and I doubt anything's wrong > with #1. #2 did pull four hits on VirusTotal, out of 66 engines. But > ClamAV at VT passed all three files. > > I could simply write an exclusion for these files, but I wonder why > this disparity exists. > > Thanks, > Paul > > -Al- > -- > Al Varnell > ClamXAV user > > > > > _______________________________________________ > clamav-users mailing list > [email protected]<mailto:[email protected]> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > clamav-users mailing list > [email protected]<mailto:[email protected]> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Looking for a quality/value laptop <http://j.mp/MyBonanza>? _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
