Mailing List Archive: ClamAV: users

false positives

Index | Next | Previous | View Threaded

lists01 at dds

Oct 22, 2003, 6:19 AM

Post #1 of 9 (921 views)
Permalink

false positives

i' ve recently started using clamav to scan SAMBA directories, and to
scan incoming e-mail messages (in conjunction with amavis).

i've been seeing a lot of false positives on the file scans, most of
them Word macro virii:

WM.CAP
WordMacro.Concept
W97M/Story.A
Trojan.Stealth.D

my script sends the clamav report to our IT support department mailing
list, and i'm getting some negative feedback from techs about all the
false positives wasting time.

also, i'm very concerned that clamav may be rejecting e-mail documents
that contain attachments that are not infected.

this is pretty serious for us - is this a known issue? is there a fix
or a workaround? how about a list of known false positives, and a way
to bypass scanning for these?

thanks

tomek-clam-users at lodz

Oct 22, 2003, 7:42 AM

Post #2 of 9 (886 views)
Permalink

Re: false positives [In reply to]

On Wed, 22 Oct 2003 at 3:52:04 -0400, lists wrote:
> i' ve recently started using clamav to scan SAMBA directories, and to
> scan incoming e-mail messages (in conjunction with amavis).
>
> i've been seeing a lot of false positives on the file scans, most of
> them Word macro virii:
>
> WM.CAP
> WordMacro.Concept
> W97M/Story.A
> Trojan.Stealth.D
>

When have you seen the latest false positive about Trojan.Stealth.D?
Because the false positive has been already reported, I replaced the
signature on 2003.10.16 and the reporter confirmed that the problem went
away.

> my script sends the clamav report to our IT support department mailing
> list, and i'm getting some negative feedback from techs about all the
> false positives wasting time.
>
> also, i'm very concerned that clamav may be rejecting e-mail documents
> that contain attachments that are not infected.
>
> this is pretty serious for us - is this a known issue? is there a fix
> or a workaround? how about a list of known false positives, and a way
> to bypass scanning for these?
>

An emergency, personal workaround is removing the culprit signature from
the viruses.db (viruses.db2) file. Of course the next execution of
automatic update of the database will overwrite the file.

The correct fix is to submit such falsely infected file via normal way:
< http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi >, clearly stating
that you think that it's not infected file and it gives false positive
about what virus. The more details, the better (e.g. which AV scanners
do *not* detect a virus in the file).

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.

da at softcom

Oct 22, 2003, 8:13 AM

Post #3 of 9 (884 views)
Permalink

RE: false positives [In reply to]

Please submit any "false positive" samples to the DB team. You can
submit through http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi.

We do take these reports very serious, but we need to discover them
before any action can be taken.

A workaround could be to delete signatures from the DB files you don't
like ClamAV to detect.

Best regards,
Diego d'Ambra

> -----Original Message-----
> From: clamav-users-admin [at] lists [mailto:clamav-users-
> admin [at] lists] On Behalf Of lists
> Sent: 22. oktober 2003 09:52
> To: clamav-users [at] lists
> Subject: [Clamav-users] false positives
>
> i' ve recently started using clamav to scan SAMBA directories, and to
> scan incoming e-mail messages (in conjunction with amavis).
>
> i've been seeing a lot of false positives on the file scans, most of
> them Word macro virii:
>
> WM.CAP
> WordMacro.Concept
> W97M/Story.A
> Trojan.Stealth.D
>
> my script sends the clamav report to our IT support department mailing
> list, and i'm getting some negative feedback from techs about all the
> false positives wasting time.
>
> also, i'm very concerned that clamav may be rejecting e-mail documents
> that contain attachments that are not infected.
>
> this is pretty serious for us - is this a known issue? is there a fix
> or a workaround? how about a list of known false positives, and a way
> to bypass scanning for these?
>
>
> thanks
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN developer relations
> Here's your chance to show off your extensive product knowledge
> We want to know what you know. Tell us and you have a chance to win
$100
> http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> _______________________________________________
> Clamav-users mailing list
> Clamav-users [at] lists
> https://lists.sourceforge.net/lists/listinfo/clamav-users

lists01 at dds

Oct 23, 2003, 1:20 AM

Post #4 of 9 (893 views)
Permalink

Re: false positives [In reply to]

Tomasz Papszun wrote:
>> WM.CAP
>> WordMacro.Concept
>> W97M/Story.A
>> Trojan.Stealth.D
>
> When have you seen the latest false positive about Trojan.Stealth.D?
> Because the false positive has been already reported, I replaced the
> signature on 2003.10.16 and the reporter confirmed that the problem went
> away.

yes, i updated the db and this false positive is fixed.

> The correct fix is to submit such falsely infected file via normal way:
> < http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi >,

i have a bit of a problem - the WordMacro.Concept and W97M/Story.A false
positives appear in older Word97 files that contain business data. if i
remove the textual content of the file and resave (presumably preserving
macros), the file no longer gives a false positive.

any suggestions?

lists01 at dds

Oct 23, 2003, 3:16 AM

Post #5 of 9 (887 views)
Permalink

Re: false positives [In reply to]

tk at lodz

Oct 24, 2003, 12:31 AM

Post #6 of 9 (885 views)
Permalink

Re: false positives [In reply to]

On Thu, 23 Oct 2003 04:05:36 -0400
lists <lists01 [at] dds> wrote:

> > The correct fix is to submit such falsely infected file via normal
> > way: < http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi >,
>
> i have a bit of a problem - the WordMacro.Concept and W97M/Story.A
> false positives appear in older Word97 files that contain business
> data. if i remove the textual content of the file and resave
> (presumably preserving macros), the file no longer gives a false
> positive.
>
> any suggestions?

Most of our signatures for Office viruses are broken - this is because
we have no support for compressed VBA streams in OLE2 files and the
signatures only match compressed data. Support for VBA will be available
soon, though (but not in the next stable release).

Best regards,
Tomasz Kojm
--
oo ..... zolw [at] konarski
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl

gagel at cnc

Apr 7, 2004, 1:18 PM

Post #7 of 9 (881 views)
Permalink

Re: False positives [In reply to]

----- Original Message Follows -----
From: Damian Menscher <menscher [at] uiuc>
To: clamav-users [at] lists
Subject: Re: [Clamav-users] False positives
Date: Wed, 7 Apr 2004 14:53:47 -0500 (CDT)
>
> On Wed, 7 Apr 2004, Kevin W. Gagel wrote:
>
> > How/Where do I report false positives?
>
> Same place you submit uncaught viruses:
>
> http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi
>
> Be sure to check the "false positive" box.
I tried this and got this error message:
File is valid, and was successfully uploaded. You uploaded more than 500 kbytes.
This looks wrong. Exiting.

What now?

====================
Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448

--------------------------------------------------------------
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--------------------------------------------------------------

nervous at nervous

Apr 7, 2004, 3:15 PM

Post #8 of 9 (886 views)
Permalink

Re: False positives [In reply to]

> > > How/Where do I report false positives?

it's a faq :)

> > Same place you submit uncaught viruses:
> I tried this and got this error message:
> File is valid, and was successfully uploaded. You uploaded more than 500 kbytes.
> This looks wrong. Exiting.

Send it to virus _at_ clamav.net (encrypted with a pass if you like) and I'll
try to find the problem.

Thanks

--
Luca 'NERvOus' Gibelli (nervous [at] nervous || bofh [at] oltrelinux)
Home Page: http://www.nervous.it

BOFH excuse 2815:
* Daemons loose in system.

kalpin at gmail

Nov 1, 2009, 7:38 PM

Post #9 of 9 (879 views)
Permalink

Re: false positives [In reply to]

2009/9/23 Fr�d�ric SOSSON <fsosson [at] gmail>

> Hello,
>
> I would like to test my virus protection behavior by using false
> positives in clamav-0.95.2.tar.gz/test/.split
>
> McAfee found viruses but ClamAV did not (by using clamscan)
>
> what could be wrong ?
>
>
> regards,
>
> Fred
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

What's the virus name which found by McAfee ? Also, try to submit that file
to developer, maybe they miss it.

--
Regards,

Kalpin Erlangga Silaen
"Come now, and let us reason together," Says the LORD, "Though your sins are
like scarlet, They shall be as white as snow; Though they are red like
crimson, They shall be as wool.
---
URL: http://www.kalpin.us
YM: kalpinus [at] yahoo
MSN: kalpinus [at] hotmail
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads