I did this scan:
(directories hidden for privacy)
clamscan.exe command line: "...clamwinbinclamscan.exe" --tempdir
"...appdatalocaltempclamwinportabletemp" --keep-mbox --stdout
--database="...ClamWinPortableDatadb"
--log=...appdatalocaltempclamwinportabletemptmpqo1xft" --no-phishing-sigs
--no-phishing-scan-urls --debug --verbose --log=FILEclam --infected
--max-files=100000018 --max-scansize=4096M --max-recursion=999
--max-filesize=4096M --show-progress --move="...ClamWinPortableDataquarantine"
--recursive --kill "C:Program Files (x86)Epic Games"
https://mastodont.cat/@alejandroindependiente
(https://mastodont.cat/@alejandroindependiente)
-------- Mensaje reenviado -------
De: "Micah Snyder (micasnyd)" <[email protected]
(mailto:[email protected]?to=%22Micah%20Snyder%20(micasnyd)%22%20<[email protected]>)>
Para: "ClamAV users ML" <[email protected]
(mailto:[email protected]?to=%22ClamAV%20users%20ML%22%20<[email protected]>)>
CC: "Alejandro Hernández" <[email protected]
(mailto:[email protected]?to=%22Alejandro%20Hern%C3%A1ndez%22%20<[email protected]>)>
Enviado: 17 de noviembre de 2020 22:44
Asunto: RE: [clamav-users] Fwd: Re: Fwd: Win.Trojan.Virut-375 FOUND in
libcef.dll
Because libcef.dll is a larger file, it won’t alert with the default
max-scansize and max-filesize settings. I am seeing the alert as well with the
settings increased.
❯ ~/.clamav/bin/clamscan
/mnt/c/Users/micah/Downloads/f2ed1af539f3c783ffe0661d773a8e307ca1601536459b9db24469ebd60a80fe
--max-scansize=1000M --max-filesize=1000M
/mnt/c/Users/micah/Downloads/f2ed1af539f3c783ffe0661d773a8e307ca1601536459b9db24469ebd60a80fe:
Win.Trojan.Virut-375 FOUND
Thanks for submitting the FP report. We’ll make sure the signature is
dropped or fixed.
-Micah
From: clamav-users <[email protected]
(mailto:[email protected])> On Behalf Of Alejandro
Hernández via clamav-users
Sent: Tuesday, November 17, 2020 1:06 PM
To: [email protected] (mailto:[email protected])
Cc: Alejandro Hernández <[email protected]
(mailto:[email protected])>
Subject: [clamav-users] Fwd: Re: Fwd: Win.Trojan.Virut-375 FOUND in libcef.dll
Here i 've just uploaded the file again to virustotal:
https://www.virustotal.com/gui/file/f2ed1af539f3c783ffe0661d773a8e307ca1601536459b9db24469ebd60a80fe/detection
(https://www.virustotal.com/gui/file/f2ed1af539f3c783ffe0661d773a8e307ca1601536459b9db24469ebd60a80fe/detection)
And uploaded to clamav false positive url again too:
https://www.clamav.net/reports/fp (https://www.clamav.net/reports/fp)
The file belongs to 'Epic Store Games' installation, on Windows 10.
This is the directory: C:Program Files (x86)Epic
GamesLauncherPortalExtrasOverlayWin32libcef.dll
I notified to Epic devs but everybody say is a false positive..... is it?
By the way, VirusTotal dont recognize the file as a virus.
But using 'ClamWin', the virus is found.
ClamWin: 0.99.4
ClamAV: 0.99.4
VirusDBversion: main:59, daily: 25991
https://mastodont.cat/@alejandroindependiente
(https://mastodont.cat/@alejandroindependiente)
-------- Mensaje reenviado -------
De: "G.W. Haywood via clamav-users" <[email protected]
(mailto:[email protected]?to=%22g.w.%20haywood%20via%20clamav-users%22%20%[email protected]%3e)>
Para: "Alejandro Hernández via clamav-users" <[email protected]
(mailto:[email protected]?to=%22alejandro%20hern%c3%a1ndez%20via%20clamav-users%22%20%[email protected]%3e)>
CC: "G.W. Haywood" <[email protected]
(mailto:[email protected]?to=%22g.w.%20haywood%22%20%[email protected]%3e)>
Enviado: 17 de noviembre de 2020 11:29
Asunto: Re: [clamav-users] Fwd: Win.Trojan.Virut-375 FOUND in libcef.dll
Hi there, On Mon, Nov 16, 2020 at 1:16 PM Alejandro Hernández via
clamav-users wrote:
everybody says it is a false positive. Could you check it and tell
me? (I've send it you before but no feedback)
I've seen nothing from you on the ClamAV Users' mailing list. Exactly
when did you first send it, and to exactly what address? Perhaps you
can send a short test reply to this message with no attachments to see
if it gets through.
The file name which you mention does seem to have been associated with
a few false positive reports in the past but Mr. Graham has given good
advice that you should check it on one of the public sites which allow
you to scan a file using many different scanners, such as VirusTotal.
Be aware that even if you scan a file with thirty different scanners
it may still not be safe, because some threats will be so new that the
people who maintain the scanners will not yet have had time to update
them to recognize the threats. If you think there's a risk that this
might be the case then it might be worth waiting a week or two, then
submitting the file to the scanning service again. However most of
the files which cause false positives will be at least weeks or months
old, and often they will be several years old. If you can _reliably_
verify the age of the file, that will help you decide whether you need
to wait some time and then do another scan. You cannot necessarily
rely on the file's timestamp in the directory which contains it, any
half-way competent malware author is capable of forging that, but if
you have the file e.g. on a CD somewhere and you can check that it's a
bit-for-bit copy of the one you're using on disc, that's a fair bet.
If you do send a test reply please send it to the list, not directly
to my clamav list address, as all mail sent directly to this address
will be rejected.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
[email protected] (mailto:[email protected])
https://lists.clamav.net/mailman/listinfo/clamav-users
(https://lists.clamav.net/mailman/listinfo/clamav-users)
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq (https://github.com/vrtadmin/clamav-faq)
http://www.clamav.net/contact.html#ml (http://www.clamav.net/contact.html#ml)
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
