Your clamd likely has the scan limits higher than defaults, so you can scan larger files. In my own testing with the exe file from https://releases.mozilla.org/pub/firefox/releases/115.34.0esr/win64/en-US/ on my laptop, I had to increase several limits including max-recursion, max-scantime, and max-scansize from the default settings in order to get the detection.
VirusTotal uses the latest clamav, which means it will be using 1.5.2. However, it uses slightly lower scan limits than default, due to resource constraints. So, it is not going to alert on this file. I'll forward the FP concern with our malware team so they're aware. Regarding supported versions: * We load-test new signatures on multiple releases including at least the latest patch version of the latest release as well as the latest patch version of supported LTS releases. At this time, that is the 1.5.2 version of 1.5 release and the 1.4.4 version of the 1.4 LTS release at a minimum. * We only FP-test with a single version. It takes more resources to do FP-testing. We cannot afford to FP-test with multiple releases. It is highly unlikely for an old version to have more detections than a new version, since new features appear in new versions, and FPs are generally the result of bad signatures, not bad file analyzer modules. So, we typically FP-test with the latest version, though we don't necessarily bump the version in our FP-test system right away. I have been wanting to add the ability for freshclam to check if the current release and version are supported. It is going to require adding new DNS text records and then more frequent updates to the DNS records. Sadly, this work keeps getting pushed out. But I 100% agree that we really should give these notifications in freshclam. Respectfully, Val Valerie Snyder (she/they) ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <[email protected]> on behalf of Paul Kosinski via clamav-users <[email protected]> Sent: Thursday, March 26, 2026 7:09 PM To: [email protected] <[email protected]>; Andrew C Aitchison via clamav-users <[email protected]> Cc: Paul Kosinski <[email protected]> Subject: Re: [clamav-users] Why are recent Firefox (for Windows) downloads ALL being found to contain ransomware? I only have 1.0.9 installed, so I don't currently have a way to test it with either 1.5.x or 1.4.x. So I submitted the "Firefox Setup 115.34.0esr.exe" file to VirusTotal, and none of their scanners found a virus. I then asked VirusTotal (now owned by Google) what version of ClamAV they run, but they haven't replied as of a few minutes ago. I realize that ClamAV 1.0.9 is "EOL", but one can still obtain "official" signature files for another year beyond that. Disturbingly, the Version Support Matrix says that, for 1.0 LTS, signatures are NOT tested for false positives (FP) after 1.1 was released. In this case that's about 2.5 years BEFORE 1.0.9 EOL. So WHAT EXACTLY DOES LTS MEAN?? For 1.0 LTS, it seems that no 1.0.x can be FULLY trusted after 1.1 was released. This is not what I would characterize as LTS. Furthermore, since the DB files can still be downloaded one year after nominal EOL (much less End Of Trust), why doesn't freshclam at least issue a warning among its large number of messages that EOL is past? Finally, I intend to (try to) install 1.4 LTS in the near future. But will this help? According to the Version Support Matrix, FP testing will not be done for 1.4 LTS after 1.5 is released. Oops: that was last October (2025)! --------------------- On Thu, 26 Mar 2026 18:17:38 +0000 (GMT) Andrew C Aitchison via clamav-users <[email protected]> wrote: > On Thu, 26 Mar 2026, Paul Kosinski via clamav-users wrote: > > > For example: > > > > Firefox Setup 140.9.0esr.exe --> Win.Trojan.Spora-7724442-0 FOUND > > Firefox Setup 115.34.0esr.exe --> Win.Trojan.Spora-7724442-0 FOUND > > Firefox Setup 115.34.0esr.msi --> Win.Trojan.Spora-7724442-0 FOUND > > > > > > These are from ClamAV 1.0.9 clamd on Linux receiving file to be scanned > > over TCP. > > https://docs.clamav.net/faq/faq-eol.html#version-support-matrix > suggests that 1.0.9 went end-of-life Nov-28 2025 > Version 1.3 is also EOL. > > Can you verify the problem with version 1.4.3 or 1.5.1 ? > _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
